Another Shady App Found Pre-Installed on OnePlus Phones that Collects System Logs

The OnePlus Saga Continues…

Just a day after the revelation of the hidden

Android rooting backdoor

pre-installed on most OnePlus smartphones, a security researcher just found another secret app that records tons of information about your phone.

Dubbed

OnePlusLogKit

, the second pre-installed has been discovered by the same Twitter user who goes by the pseudonym “

Elliot Alderson

” and discovered the controversial “

EngineerMode

” diagnostic testing application that could be used to root OnePlus devices without unlocking the bootloader.

OnePlusLogKit is a system-level application that is capable of capturing a multitude of things from OnePlus smartphones, including:

  • Wi-Fi, NFC, Bluetooth, and GPS location logs,
  • Modem signal and data logs, hot and power issue logs,
  • list of the running processes, list of running service and battery status,
  • media databases, including all your videos and images saved on the device.

Unlike EngineerMode (which was found on devices by several manufacturers including HTC, Samsung, LG, Sony, Huawei, and Motorola), the OnePlusLogKit application (

decompiled APK

) most certainly is present only in OnePlus devices.

Since OnePlusLogKit is disabled by default, the attacker would require access to the victim’s smartphone to enable it.

With the physical access to the targeted smartphone, one can quickly enable it by dialing

*#800#

→ “

oneplus Logkit

” → enable “

save log

,” or one can use social engineering to get the owner of the device to do it themselves.

Once enabled, any other application installed on your device can collect the logged information (stored unencrypted in the /sdcard/oem_log/ folder) remotely without requiring user interaction.

Although the app in question has been designed for device manufacturers and engineers to log the events/activities to diagnose system issues, the amount of information collected here could also be used for nefarious purposes.

OnePlus has yet to comment on this latest issue, while the Chinese company did not see the previous EngineerMode diagnostic tool as a major security issue, although it promised to remove the adb root function in the upcoming OxygenOS update.

“While it can enable adb root which provides privileges for adb commands, it will not let 3rd-party apps access full root privileges,” the OnePlus spokesperson said in a statement.

“Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device.”

Qualcomm, who was believed to be the creator of the EngineerMode APK, also responded to allegations, saying that there are traces of source code from their original app, but the current APK found on devices from various manufacturers has been modified by someone else.

“After an in-depth investigation, we have determined that the EngineerMode app in question was not authored by Qualcomm,” Qualcomm claims.

“Although remnants of some Qualcomm source code is evident, we believe that others built upon a past, similarly named Qualcomm testing app that was limited to displaying device information. EngineerMode no longer resembles the original code we provided.”

Meanwhile, another security researcher has released an Android application to

root OnePlus phones

quickly by using the backdoor discovered in EngineerMode.

via The Hacker News http://bit.ly/2hvPXSo

Advertisements

UC Browser pulled from Google Play for shady activity

UC Browser — the Android web browser with more than half a billion downloads to its name, and which has proved particularly popular in India — has been pulled from Google Play.

In addition to download from the Play Store, the browser came preinstalled on a number of handsets, and it gained popularity thanks to its speedy performance and low system requirements. But the fact that it “used “Misleading” and “Unhealthy” methods of promotion” led to it being nixed.

There was some debate on Reddit about just why the app had been pulled from Google Play. Artem Russakovskii from Android Police shared a theory that the removal was related to UC Browser’s promotional campaigns, which Google appears to have taken exception to. He posted a copy of an email he received as an affiliate of UC Union, the company behind the browser:

Dear Partner,

We hereby emphasis again that UC Union prohibits any and all misleading/malicious advertising method(s) to procure new users when promoting UC Browser campaigns, such as by using slogan inconsistent with the Product functions, or by using inductive slogan.

DO NOT use the Malicious Promotion method(s) or STOP such behavior immediately if you are acting so.

Upon discovery a Malicious Promotion, UC Union is entitled to

(i) STOP your payment settlement, or DEDUCT your corresponding payment made to you;

(ii) compensation in recovery of the loss suffered by UC Union, including but not limited to loss of UC Union’s good will, loss of users of UC Union Product(s), removal of UC Union Product(s) from Google Play or Apple Store, and any other loss as a result of your Malicious Promotion;

(iii) require you to CLARIFY the facts for elimination of the negative impact shed upon UC Union; and

(iv) resort to any other legal measures if necessary.

UC Union is looking forward to cooperating and developing with you in a healthy UC Union ecosphere.

UC Union Team

Mike Ross — who works on the browser — appears to confirm the reason behind the app’s disappearance:

There has been no official public statement about the browser’s removal from Google Play, and its cut-down sibling, UC Browser Mini is still available to download.

via Betanews http://bit.ly/2jwi20q

The Dark Side of ‘Replay Sessions’ That Record Your Every Move Online

When internet users visit Walgreens.com, a software company may record every keystroke, mouse movement and scroll, potentially exposing medical conditions such as alcohol dependence, or the names of drugs a user has been prescribed, according to Princeton researchers.

Companies like Walgreens deploy these analytics-software providers to see how people use their website or to identify broken or confusing web pages. The analytics companies place “scripts” on their clients’ websites that record individual browsing sessions for later viewing or a “replay session.”

In effect, the researchers say, software companies are “looking over your shoulder” as you navigate certain websites. The extent of the data collected “far exceeds user expectations,” including recording what you type into a text box before you submit it, “all without any visual indication to the user,” according to a study released Wednesday.

In response to questions from WIRED, Walgreens said Wednesday it would stop sharing data with the software company, FullStory. “We take the protection of our customers’ data very seriously and are investigating the claims made in the article that was published earlier today,” Walgreens said in a statement. “As we look into the concerns that were raised, and out of an abundance of caution, we have stopped sharing data with FullStory.” A Walgreens spokesperson said FullStory’s software “essentially has an ‘on/off’ switch,” which the retailer has now turned off.

FullStory is among a group of seven “session replay” companies examined by the Princeton researchers. Analytics software that measures mouse movements or keystrokes has been around for years, says Steven Englehardt, one of the authors of the study. But the technology has typically been used to track groups of users, such as the parts of a web page where visitors linger the longest. The researchers found that FullStory and the other companies are now tracking users individually, sometimes by name.

The study also found FullStory capturing personal information from Bonobos, a retailer now owned by Wal-Mart. Other customers listed on FullStory’s website include Zocdoc, Shopify, CareerBuilder, SeatGeek, Wix.com, Digital Ocean, DonorsChoose.org, and more. FullStory did not respond to a request for comment.

The replay companies offer tools to help clients redact sensitive information both manually and automatically, but the researchers found that that process was often inadequate. The study found that Walgreens performed “extensive use of manual redaction” but FullStory still gained access to some personal information. On Bonobos’ site, FullStory captured credit-card details, including the cardholder’s name and billing address, the card’s number, expiration, and security code. Bonobos did not respond to a request for comment.

To gather data, Englehardt said researchers signed up for accounts on Walgreens and other sites. At Walgreens, they added prescription and health information, recording all the network traffic. They later analyzed the network traffic to see if the information they entered appeared in the session recording.

The researchers examined the 50,000 most-visited websites, according to Alexa. They found 482 sites that were sharing information about individuals with one or more of the seven replay companies. Englehardt said the percentage of sites leaking information to the software companies was likely higher, because the software companies track only a sample of visits to a given website.

While “keylogging” software has been around for a while, the practices highlighted in the new Princeton study are “by far the most pernicious,” examples of capturing user information, says Ashkan Soltani, a security and privacy researcher and former chief technologist for the Federal Trade Commission. “Capturing [the text typed into] every form field is a level of detail that I have not seen historically.”

“I don’t think most users realize that when they interact with a website that their information about that visit is being shared with 40 to 100 third parties,” Soltani says. Those companies typically record only that a user has visited a page, he adds, but in these cases they are capturing “not only that I visited that page, but also what content I submitted.”

One of the software companies identified by the study is Yandex, Russia’s largest search engine. Englehardt said the researchers did not examine whether Yandex’s tracking might have been part of state-sponsored surveillance. But he said that Yandex was most often used on Russian websites.

Englehardt said he and his colleagues plan to release additional studies examining data-collection practices by software companies that track web users.

via Wired Top Stories http://bit.ly/2iZaLlE

Intel’s management engine – in most CPUs since 2008 – can be p0wned over USB

Positive Technologies, which in September said it has a way to attack the Intel Management Engine, has dropped more details on how its exploit works.

The firm has already promised to demonstrate God-mode hack in December 2017, saying the bug “allows an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard”.

For some details, we’ll have to wait, but what’s known is bad enough: Intel Management Engine (IME) talks to standard Joint Test Action Group (JTAG) debugging ports. As does does USB, so Positive Technologies researchers put the two together and crafted a way to access IME from the USB port.

IME’s problems first emerged in May, when researchers noticed you could access the Active Management Technology running on the microcontroller with an empty login string.

That was patchable, but the IME – a microcontroller that’s got full control over hardware and networking, independently of the operating system – remained in place.

The latest attack came to Vulture South’s attention via a couple of Tweets:

The linked blog post [in Russian] explains that since Skylake, the PCH – Intel’s Platform Controller Hub, which manages chip-level communications – has offered USB access to JTAG interfaces that used to need specialised equipment. The new capability is DCI, Direct Connect Interface.

Any attack needs access to USB which as we know is really difficult.

We still don’t know all the details Positive Technologies will show off at Black Hat, but their trailers are sure fun to watch. ®

Bootnote: The IME is able to control a computer because it runs an OS of its own, namely MINIX. And it turns out that while Intel talked to MINIX’s creator about using it, the company never got around to saying it had put it into every CPU it makes.

Which has MINIX’s creator, Andrew S. Tanenbaum, just a bit miffed. As Tanenbaum wrote this week in an open letter to Intel CEO Brian Krzanich:

The only thing that would have been nice is that after the project had been finished and the chip deployed, that someone from Intel would have told me, just as a courtesy, that MINIX was now probably the most widely used operating system in the world on x86 computers. That certainly wasn’t required in any way, but I think it would have been polite to give me a heads up, that’s all.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

via The Register – Security http://bit.ly/2hmp7zX

Oppo, Xiaomi to adopt 3D sensors for smartphones in 2018

Oppo, Xiaomi to adopt 3D sensors for smartphones in 2018

Sammi Huang, Taipei; Steve Shen, DIGITIMES [Thursday 9 November 2017]

China-based vendors Oppo and Xiaomi Technology will adopt 3D sensing solutions for smartphones to be launched in 2018, with such solutions to be developed by Himax Technologies via cooperation with Qualcomm and the sensor modules to be produced by Truly Opto-Electronics, according to industry sources.

The cooperation efforts by Qualcomm, Himax and Truly Opto-Electronics will help upgrade significantly the hardware specifications of high-end models rolled out by China-based smartphone vendors in the coming year further enhancing their competitiveness, said the sources.

The facial recognition solutions co-developed by Qualcomm, Himax and Truly Opto-Electronics are expected to enter volume production in March-April 2018 at the earliest, indicated the sources.

Meanwhile, China’s top smartphone vendor Huawei is reportedly cooperating with China-based Sunny Optical Technology to develop related 3D sensor solutions for its premier models, indicated the sources.

On the other hand, China-based touch panel and optical sensor supplier O-film Tech is reportedly gearing up its development of structured light solutions aiming to tap into the 3D sensor market in cooperation with local smartphone vendors, said the sources.

Huawei, Xiaomi, Oppo, Vivo and Lenovo were the top-five local vendors in China’s smartphone market in the third quarter of 2017, according to Digitimes Research. Huawei led the top-five group by shipping 40 million smartphones in the quarter, followed by Xiaomi with 23 million units and Oppo with over 20 million units.

via DIGITIMES: IT news from Asia http://bit.ly/2jfMZFJ

Why banks prefer Twitter to other social channels

Banking institutions may not be many people’s picture of social media savvy, but they are perhaps surprisingly interested in Twitter.

Banks use Twitter more than Facebook, Instagram or LinkedIn — of 123,000 posts by financial brands, 79 percent were posted to Twitter compared to 12 percent on Facebook — and not just as a channel for customer complaints, as many other brands in service businesses do. Banks Goldman Sachs, Bank of America and Citi push podcasts, video interviews, company updates and sponsorships to customers.

There are a few reasons: It’s free, and according to Liz Elder, senior financial services associate at L2, shows people they’re not too old or behind the times to cater to the same customers that use services Facebook and Uber and shop online — sometimes on their mobile phones.

But for financial institutions, social media strategy is far from a need-to-have. Banks have enough brand equity that even without a winning Facebook strategy, they’ll still come out on top because how customers shop for a banking relationship just isn’t the same as how they approach the rest of their shopping; customers still consider things like proximity to a branch, access to human advice and — despite research showing that banks still struggle to reclaim customer trust lost after the 2008 financial crisis — the trust that comes with a name evoking strength, gravitas and rigidity like Goldman Sachs or JPMorgan Chase.

Read the full story on tearsheet.co

The post Why banks prefer Twitter to other social channels appeared first on Digiday.

via Digiday http://bit.ly/2hmp4nL

Adobe Creative Cloud: Read the Fine Print on Licenses!

Burning Money

When Adobe Creative Cloud launched, I signed up! No more buying expensive licenses and managing DVD keys… just download and install as needed. We have an amazing team that works on our designs, but we often just have to make a quick edit or adjustment after we get files from our designers, so I purchased a license. My business partner began to help out, so I purchased a second license for her, too. And then one of our clients didn’t have the budget for a license but needed to edit files from time to time, so I purchased a license for them.

I Never Read The Fine Print

I thought I was just paying a monthly license fee and could add and remove the licenses as needed. I found out the hard way that that’s not the case. After my business partner launched her own agency and my client had let the employee go… I found myself paying for two unused licenses each month. After stumbling through the terrible administrative panel for Adobe Creative Cloud and removing the two users, I noticed that the license count remained the same.

A quick search for “remove licenses” in their knowledge base provided the response no one ever wants… contact support. Ugh… I opened a chat window. I thought perhaps someone was going to talk me out of disabling the licenses. After 23 minutes and 51 seconds, they did. But it may not be why you think.

Adobe Creative Suite Chat

The actual chat is included above to show you the nonsensical pitch that I was thrown, which totally ignored the fact that I am using my own license. I know how great the program is, I bought a license!

A company the size of Adobe should honestly be ashamed using this strategy to rip off their customers for a few bucks. I didn’t realize I was inadvertently signing a new annual contract. I recognize some businesses have hard onboarding costs with customers, but that doesn’t exist with Adobe Creative Cloud. Just as with any other SaaS platform, I should be able to add and remove user licenses as needed. The reason I signed up was that I’m an honest user who appreciated the value of the platform and willingly paid for it.

Now I’m paying 300% of my license cost for Adobe Creative Suite with the other two licenses dormant. Adobe, I’ll absolutely be calling you July 16, 2018. Maybe it’s time for me to find some alternative platforms.

Warning: There’s also no option on the administrative panel to disable auto-renewal.

Download a Sponsored Marketing Whitepaper:

Agency Best Practice: How to Grow Revenue From Small Clients

Agency Best Practice: How to Grow Revenue From Small Clients

Affordable Services to Match Your Clients Needs And Wallet. Download Now

Download a Sponsored Marketing Whitepaper:

Agency Best Practice: How to Grow Revenue From Small Clients

Agency Best Practice: How to Grow Revenue From Small Clients

Affordable Services to Match Your Clients Needs And Wallet. Download Now


© 2017 DK New Media. All Rights Reserved. Visit and Subscribe to MarTech today!

via MarTech http://bit.ly/2zricd5