A couple of weeks ago, an app called Virus Shield was released into the Play Store and almost immediately jumped to the top of the paid app list with over 10,000 downloads. The app boasts the ability to “prevent harmful apps from being installed on your device”, can “scan apps, settings, files and media in real time” and “protects your personal information”, with “low impact on battery life”, all for a price of USD$3.99. Sounds good doesn’t it? That was what those 10,000 users who downloaded it thought but unfortunately, it is a fake app that does absolutely nothing at all. Google was informed about the problem and on top of refunding back users the $3.99 they spent on the app, the company is also offering an extra $5 dollar credit to affected users. When the app crawled its way to the top spot, Android Police decided to do some investigation and found that all the app does is change from an “X” image to a “check” image after a single tap. Google acted quickly into removing the app from the Play Store just hours after Android Police published their findings, and is now refunding users and giving them extra Play Store credit as well. “Hello, We’re reaching out to you because you recently purchased the “Virus Shield” app on Google Play. This app made the false claim that it provided one-click virus protection; in reality, it did not. Google Play’s policies strictly prohibit false claims like these, and in light of this, we’re refunding you for your “Virus Shield” purchase. You should see funds returned to your account within the next 14 days. Additionally we’d like to offer you $5 promotional credit, which can be used to purchase digital content on Google Play such as apps, games, books, music and movies. Your credit redemption code is XXXXXXXXXXXXXXX. Click or tap here to redeem. For help redeeming, please visit our Help Center. We’re sorry for any inconvenience this may have caused; rest assured that we’re always working to make Google Play better for our users. As for the developer who made thousands of dollars for nothing, in an interview with The Guardian, they claim that Virus Shield was a “foolish mistake” and was mistakenly uploaded without the antivirus code. So how did an “empty” app get all the positive reviews and be updated from version 1.0 to 2.2 without the developer realizing that it in fact did nothing at all? I guess we’ll just have to wait and see. Meanwhile, the next time you download an app, especially a paid one, make sure you do proper research on it first and don’t end up exposing your entire device to the developer.
Category Archives: Security
The internet feels very much like an extension of my home. My own little corner of the internet is very much like the TARDIS: bigger on the inside than on the outside. Games, pictures, documents, notes, and friends all reside within a digital space that is both easy to access and conveniently does not fill up my shelves with junk. Unfortunately, the last week has pointed out that while the internet feels like home, many of us still leave the front door open. I highly doubt anyone has managed to miss the news of the Heartbleed bug. The massive flaw in OpenSSL allows hackers to retrieve information from servers running the particular type of cryptography. Mostly it means stealing passwords and other information that will allow access accounts to make stealing more information easier. Heartbleed itself is simply another symptom of a larger problem. One that will only grow with time. Security companies often point out the threat of malware and what it can do to damage us. Not a week goes by without one of the many antivirus and security malware vendors issuing a press release about the number of threats they have uncovered, or the name of the latest piece of malware that has been discovered. Those stories pale in comparison with the more recent NSA spying scandal, where the United States government has been accused of spying on individuals across the globe. Malaysians were not spared from this network of intelligence gathering, and yet the issue is all but forgotten. Both malicious hackers and government cyberwarfare units are generally after the same thing: information. While it is common for some of us to say that we have nothing to hide or that our information has to value to anyone else, the truth is that it is more about protecting our own privacy and personal space. To be fair to the professionals who worked on correcting the Heartbleed bug and other less notorious vulnerabilities, nobody will be able to catch all the flaws in the code. Especially one with limited resources like the open sourced OpenSSL, which relies on contributors and volunteers. The main issue at this point is convincing people to take their own security seriously. Most of the tech savvy community will have undoubtedly taken steps to change passwords that need to be changed. But even if this happens, how many of us use the same password for multiple sites? A single vulnerability exposes many accounts, whether or not they were involved in the original problem. While many Malaysian banking sites were not directly affected by Heartbleed, it wouldn’t be too difficult to imagine that at least some of the passwords used to access bank accounts would be reused on another site that was affected. Which means that changing one password still leaves other accounts vulnerable. There is some talk about doing away with passwords and using newer technology to help overcome the weaknesses inherent in using an alphanumeric string. However, that is not to say that using biometrics will be any safer. After all, these are still people writing the code; and people will not be able to account for every eventuality. Two stage authentication combined with multiple secure passwords is possibly the bare minimum required from internet users. Although the extra step that goes into accessing an account tends to cause users to avoid the hassle; all in the sake of convenience and expedience. Admittedly, two stage authentication doesn’t help much in the case of Heartbleed; but this particular bug is a very special case. One that future updates to internet security protocols will endeavour to avoid. As technology begins to creep into every aspect of our lives, the responsibility for our own security increasingly lies with the user. We go to great lengths to ensure we remain safe in the physical world by locking our doors, installing security systems, and storing important documents safely. Why should our online lives be treated any differently ?
I was recently asked about the necessity of anti-virus software on a smartphone. It is was a reasonable question, but one that I didn’t quite have an answer to. Kaspersky has reported some 200,000 unique samples of mobile malware in January 2014; which certainly looks like an extremely dangerous trend. Yet, security against malware doesn’t appear to be very high on the list of priorities of smartphone users. Understanding the threat is necessary in overcoming it, and mobile malware doesn’t quite function in the same manner as traditional computer viruses. Unlike the PC-based versions, mobile malware is incapable of spreading on its own. It cannot infect a network and then copy itself to other devices. Mobile devices require people to actively allow things to be downloaded and installed, limiting the spread of malware. This doesn’t mean malware cannot spread across devices, it just means that the process requires engineering a situation where the human user makes a terrible mistake. Creating the opening is not entirely difficult. Apps containing malware can be found all over the place, often disguising themselves as legitimate apps to fool users. This is particularly effective for apps that are not free; as some mobile users will try to pirate or sideload them. Security firm F-Secure discovered that 97% of all mobile malware was found on Android devices. However, this number is extremely misleading. While a huge number of malware was discovered on Android, less than 0.1% of it originated from Google’s Play Store – which indicates weaknesses in third-party app stores.
As for other platforms: iOS, BlackBerry and Windows Phone combined have less malware than Symbian. Going without an antivirus is certainly an option. Most smartphone users manage to get along without one. After all, the best security measures are those where the user is careful with what happens while connected. Simply paying attention to the permissions required by apps can go a long way to ensuring malware does not find its way in. Traditionally, malware is designed to gather information about the user. Personal information, credit card numbers, and contacts are all valuable to criminals. However, there are other ways obtaining all that without having to deploy any sort of malicious attack package. WiFi spoofing is an increasingly common method of stealing data. It works by leaving a WiFi router out to trick passing devices into connecting to it. This is usually possible because people leave their smartphones and tablets to continuously search for an open network. Once connected, the malicious network functions exactly like a normal WiFi network; expect that it records all the information that passes through it. This usually isn’t much, but it can easily steal passwords and other login information. The amount of personal information people willingly share on the Internet may also mean that using illegal and unethical methods for data collection are unnecessary. This simply means that most security issues can be solved without the need of mobile anti-virus. However, that is not to say that this sort of software is a waste of money.
Mobile anti-virus is still helpful for screening potentially damaging malware hidden in attachments like PDF files and pictures, both of which are less common attack vectors, but also easier to work around the security of the app stores. Before iPad and iPhone users get smug, this type of malware is very capable of operating on Apple products. Only Windows Phone poses a difficulty for malware, but that is because it infuriatingly refuses to run anything in the background. It is in situations like this that an anti-virus becomes the only layer of security you will have. Suspicious attachments are not always easy to avoid, and those of us who deal with many emails in a day will tend to open attachments as a reflex. It is not much of an issue if your mobile device is for personal use; at most, your email password gets stolen (and you should be using two-stage authentication anyway). Mobile devices used for work present the greater concern. There is more at stake here, and the extra security might actually matter. Especially as threats become more sophisticated and malware becomes more efficient at hijacking devices, like these ones that hijack smartphone processing power to mine Bitcoin. Therefore we return to the question of, does one need mobile anti-virus? I can say that regular use should not bring the average user into contact with malware very often; and taking proper precautions are more than enough to keep a person free from infection. On the other hand, implementing extra security measures with an antivirus program will provide that extra layer of protection in the event of a particularly tenacious attacker. So, there really is no harm in getting an anti-virus program.
LG’s latest smartphones will come with a new feature called Knock Code. It is an evolution of the company’s Knock On feature that made its debut in the LG G2 last year. Combining convenience and security is quite a challenge when it comes to locking and unlocking your smartphone, but LG may have achieved it with Knock Code. Here’s how to set up Knock Code. To start, select Knock Code as your screen lock of choice. The new Knock Code feature is present on all of LG’s latest devices showcased here at MWC 2014, namely the G Flex, G Pro 2 and the G2 Mini. We’re also told that an upcoming update for the LG G2 will also bring this functionality to the company’s 2013 flagship. As explained in the demo above, Knock Code is an evolution from Knock On, where the phone can be woken with a double tap of the screen. If you’ve got a security PIN code set up, you’ll still need to enter your PIN code before the device is unlocked. It is a tedious process, but one which many face simply in the name of increased security. With Knock Code, users simply tap the screen in a pre-set combination and the phone will completely bypass the lockscreen and straight to the home screen. The on-screen guide will then help you set up your own unique Knock Code. What’s very good about Knock Code is in its flexibility of input: the software recognizes the tap – or Knock, as LG puts it – combination set by the user, and that combination can be input anywhere on the screen at any ratio, so the phone will still unlock even if you tap the combination on one small corner of the screen. Evidently, this feature vastly reduces the time it takes to unlock a phone, but LG also states that Knock Code is also more secure than the standard 4-digit PIN codes found in smartphones today. Given that the tap combination can range anywhere from two to eight taps, LG states that there are over 84,000 possible combinations that can be achieved with Knock Code, compared to only about 10,000 on a standard PIN code. In addition, Knock Code further enhances the Knock On feature from previously, where a double tap anywhere on the home screens will automatically lock the phone. This again makes the process of locking your smartphone much faster and more convenient, regardless whether all your physical buttons are located at the back of the device. As someone who secures his smartphone with a PIN code, I can really appreciate this feature on my smartphone. Various researches has pegged that smartphone users unlock their phones anywhere between 110 to 200 times a day, and I can imagine how much easier and convenient having Knock Code around would be to speed things up.
Kaspersky Lab today revealed that a global-level security threat called The Mask or Careto has been discovered in the wild and targets many high-profile organizations across the globe. This include government institutions, diplomatic offices and embassies, research institutions, private equity firms, and activists as well as energy, oil, and gas companies. Detected in 31 countries throughout the world including Malaysia, the Russian computer security company believed that Careto is a state sponsored campaign due to its complexity and highly coordinated methods. Even though Kaspersky Lab’s team only discovered the threat last year, the team’s analysis showed that The Mask might have been active since at least five years ago with some of the Careto’s samples were even older as they were compiled back in 2007. The Careto’s toolset includes what seemed to be a highly advanced malware, a rootkit, and a bootkit together with versions for Mac OS X and Linux with possibility of versions for Android and iOS. Additionally, Careto also turned out to be a highly modular system with support for plugins, configuration files and additional modules. Careto also tried to take advantage of vulnerabilities on older Kaspersky Lab’s products which is exactly how it managed to attract the attention of Kaspersky Lab’s team. Careto spreads through spear-phishing emails that would lead victims to a malicious website which contains exploits that are designed to infect the victim. When the infection is successful, the victim will then be redirected to a different but harmless website that might have been referenced in the original spear-phishing email. The infection will then intercept all communication channels on the victim’s machine and begins to collect vital information from the information through a large list of documents including encryption keys, VPN configurations, SSH keys, and RDP files. As of now, all known command-and-control servers used by Careto are no longer online as Careto ’s operators seem to have shut down their servers in January 2014. To learn further about Careto, check out this FAQ by Kaspersky Lab
Here’s something I’m pretty sure some parents can relate to – receive an SMS notification from your bank saying that you have spent a large amount of USD on a game you don’t even play or even worse, check your credit card statement at the end of the month with an incredible bill from iTunes or Google. Unintentional purchases, especially in-app purchases, made by children who don’t even know what is going on, have always been a major problem, particularly in Apple’s ecosystem. Last week, Apple was ordered by the FTC to refund USD$32.5 million to users and if you remember, last year a Singaporean boy spent SGD$4,000 just for Candy Crush boosters. Don’t get me wrong though, I’m not encouraging parents to use gadgets to babysit their children nor am I suggesting that kids should get addicted to games like Candy Crush, but chances are they could get their hands on your smartphone when you turn your back on them and a couple of taps later, you get billed for $50 on a truck load of useless stuff. So to prevent that from happening, here’s how you can tighten up the app and in-app purchases for the respective stores and even disabling it for good. For those of you have children, a baby, expecting a baby, or even planning for one, please do activate it. It might be a bit troublesome for times when you really need to buy an app, but better waste that extra 30 seconds keying in your password than waste hours trying to get back a refund, IF the store or developers approve it, that is.
For iOS. After getting into hot water on several accounts, it looks like Apple has done a great job in trying to avoid such situations from happening. Under normal circumstances, once you key in your password, you will have a 15-minute window to purchase apps or in-app stuff without keying in your password again. This window has lead to many unwanted purchases by children amounting up to thousands of dollars and as a result, you can now change the settings or even disable app/in-app purchases completely on iOS. Disable App/In-App Purchases Completely for iOS. Settings > General > Restrictions > (if Restrictions is off, you will need to set a pin and confirm it to turn it on) > and turn off the ability to Install, Delete and make In-App Purchases. If you do not wish to disable app purchases completely (because it’s such a hassle to have to drill down the Restrictions menu again to enable it), you can turn off the 15-minute window and require password for all purchases immediately in the same menu: Settings > General > Restrictions > Under “Allowed Content”, change “Require Password to “Immediately”. Require Password Immediately 1Say “bye bye” to the 15-minute window, recommended even if you do not have a toddler, it’s better to be safe than sorry. For Android. I don’t know why Apple is the only one who got sued to refund back in-app purchases made by clueless children.
Personally, I think it’s much easier on Google and correct me if I am wrong, by default, no password is required when making an in-app purchase. So, if you have children, here is how to turn on Password Restriction for Google Play Store: Open Play Store app, hit the “menu” button and select “Settings”. Under “User Controls”, make sure the checkbox for “Password” is checked, you will need to key in your Google password for this step. With this turned on, each time you purchase an app from the Play Store or from within an app, you will need to key in your Google password. This setting was previously known as setting a pin but Google has since changed that to require the password associated with your Google account, makes sense. Password required to buy app and in app stuffsThe next time you wish to buy an app or an in-app item, you will have to key in your password. However, do note that Google has a 30-minute window that allow users to purchase apps for a whole 30 minute from when you first keyed it in and there is no way you can disable that for good. In addition to that, do note that Google has some sort of filter that tracks “risky” app purchases and will restrict users from downloading an app for 30 minutes. I have no idea why this appeared for mine when I genuinely wanted to buy it after keying in my password. I tried once last night and again hours ago but it is still there and I will not be able to download that app for another 30 minutes. Pretty annoying if you ask me but it doesn’t affect my other app purchases, thankfully.
I know this is nothing new, Facebook has been known to share user’s location information whether you want it to or not but did you know that Facebook Messenger shares your precise location, on a map, and it can even easily provide users with the direction to your location ? You know how when you are setting up your new phone, or granting permissions to an app you just installed, you tend to turn everything on and say yes to all the requests, particularly to popular apps that you can trust such as Facebook ? Well, when you first installed opened Facebook, you said yes to sharing your location because sometimes you would like to check into places, and letting people know you are posting that status in Kuala Lumpur doesn’t hurt right ? Wrong. Hit the break to find out how and why you should turn off location service for your Facebook / Facebook Messenger app, especially if you have a not-so-tech-savvy friend, spouse and even parents. Once you turn on location sharing on Facebook, it will share your location in your Facebook chat messages as well, and not just a rough estimation of your location like above (Kuala Lumpur, Petaling Jaya, or Singapore) but your precise location down to the street you are on like this message of mine sent from the office. Sure, when you first check your Facebook Message, it will ask if you would like to share your location in that chat message, but let’s face it, we tend to ignore these messages and even if you turn it off for that particular chat, it will still be turned on by default for other chat messages, even with stranger, and how many of you actually pay attention to that GPS logo in the chat box to see whether it’s turned on or off ? I do actually, but usually only after I send that first message but it’s already too late, my location for that particular message has been sent and will stay in the chat history for everyone involved in that chat, forever. And even if you turn your location off for a particular person, your location will be on by default for everyone else. You can turn it off for person A in Facebook Messenger within your Facebook app but when you install the dedicated Facebook Messenger app, it will be turned on by default again. Annoying ? Of course it is, I just realized that I have been sharing my location with people I don’t even know, because Facebook has made it so easy for people to message your inbox simply by paying. So, before you start making the same mistake as me, anymore, here’s how to have that annoying feature turned off by default.