Security vulnerabilities are lurking in most of the apps you use on a day-to-day basis; there’s just no way for most companies to preemptively fix every possible security issue because of human error, deadlines, lack of resources, and a multitude of other factors. That’s why many organizations run bug bounty programs to get external help with fixing these issues. The Google Play Security Reward Program (GPSRP) is an example of a bug bounty program that paid security researchers to find vulnerabilities in popular Android apps, but it’s being shut down later this month.

Google announced the Google Play Security Reward Program back in October 2017 as a way to incentivize security searchers to find and, most importantly, responsibly disclose vulnerabilities in popular Android apps distributed through the Google Play Store.

When the GPSRP first launched, it was limited to a select number of developers who were only allowed to submit eligible vulnerabilities that affected applications from a small number of participating developers. Eligible vulnerabilities include those that lead to remote code execution or theft of insecure private data, with payouts initially reaching a maximum of $5,000 for vulnerabilities of the former type and $1,000 for the latter type.

Over the years, the scope of the Google Play Security Reward Program program expanded to cover developers of some of the biggest Android apps such as Airbnb, Alibaba, Amazon, Dropbox, Facebook, Grammarly, Instacart, Line, Lyft, Opera, Paypal, Pinterest, Shopify, Snapchat, Spotify, Telegram, Tesla, TikTok, Tinder, VLC, and Zomato, among many others.

In August 2019, Google opened up the GPSRP to cover all apps in Google Play with at least 100 million installations, even if they didn’t have their own vulnerability disclosure or bug bounty program. In July 2019, the rewards were increased to a maximum of $20,000 for remote code execution bugs and $3,000 for bugs that led to the theft of insecure private data or access to protected app components.

The purpose of the Google Play Security Reward Program was simple: Google wanted to make the Play Store a more secure destination for Android apps. According to the company, vulnerability data they collected from the program was used to help create automated checks that scanned all apps available in Google Play for similar vulnerabilities. In 2019, Google said these automated checks helped more than 300,000 developers fix more than 1,000,000 apps on Google Play. Thus, the downstream effect of the GPSRP is that fewer vulnerable apps are distributed to Android users.

However, Google has now decided to wind down the Google Play Security Reward Program. In an email to participating developers, such as Sean Pesce, the company announced that the GPSRP will end on August 31st.

The reason Google gave is that the program has seen a decrease in the number of actionable vulnerabilities reported. The company credits this success to the “overall increase in the Android OS security posture and feature hardening efforts.”

The full email sent to developers is reproduced below:

“Dear Researchers,

 

I hope this email finds you well. I am writing to express my sincere gratitude to all of you who have submitted bugs to the Google Play Security Reward Program over the past few years. Your contributions have been invaluable in helping us to improve the security of Android and Google Play.

 

As a result of the overall increase in the Android OS security posture and feature hardening efforts, we’ve seen fewer actionable vulnerabilities reported by the research community. Due to this decrease in actionable vulnerabilities reported, we are winding down the GPSRP program. The GPSRP program will end on August 31st. Any reports submitted before then will be triaged by September 15th. Final reward decisions will be made before September 30th when the program is officially discontinued. Final payments may take a few weeks to process.

 

I want to assure you that all of your reports will be reviewed and addressed before the program ends. We greatly value your input and want to make sure that any issues you have identified are resolved.

 

Thank you again for your support of the GPSRP program. We hope that you will continue working with us, on programs like the Android and Google Devices Security Reward Program.

 

Best regards,

Tony

On behalf of the Android Security Team”

In September of 2018, nearly a year after the GPSRP was announced, Google said that researchers had reported over 30 vulnerabilities through the program, earning a combined bounty of over $100k. Approximately a year later, in August of 2019, Google said that the program had paid out over $265k in bounties.

As far as we know, the company hasn’t disclosed how much they’ve paid out to security researchers since then, but we’d be surprised if the number isn’t notably higher than $265k given how long it’s been since the last disclosure and the number of popular apps in the crosshairs of security researchers.

Google shutting down this program is a mixed bag for users. On one hand, it means that popular apps have largely gotten their act together, but on the other hand, it means that some security researchers won’t have the incentive to disclose any future vulnerabilities responsibly, especially if those vulnerabilities impact an app made by a developer who doesn’t run their own bug bounty program.

Update, August 2, 2024 (04:10 PM ET): Google has reached out to us with a message of reassurance:

Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.

Of course, the key word there is “known” versions, and as the team at Cleafy reported, BingoMod is still evolving and working on new tricks to evade detection. Play Protect isn’t going to rest on its laurels, either, so expect this cat-and-mouse game to continue. And for your own part, keep using best practices when it comes to sourcing your apps.

Original article, August 2, 2024 (11:44 AM ET): Getting malware on your smartphone is just a recipe for a bad day, but even within that misery there’s a spectrum of how awful things will be. Some malware may be interested in exploiting its position on your device to send spam texts or mine crypto. But the really dangerous stuff just wants to straight-up steal from you, and the example we’re checking out today has a particularly nasty going-away present for your phone when it’s done.

A remote access trojan (RAT) dubbed BingoMod was first spotted back in May by the researchers at Cleafy (via BleepingComputer). The software is largely spread via SMS-based phishing, where it masquerades as a security tool — one of the icons the app dresses itself up with is that from AVG antivirus. Once on your phone, it requests access to Android Accessibility Services, which it uses to get its hooks in for remotely controlling your device.

Once established, the malware’s goal is setting up money transfers. It steals login data with a keylogger, and confirmation codes by intercepting SMS. And then when it has the credentials and access it needs, the threat actor controlling the malware can start transferring all your savings away. With language support for English, Romanian, and Italian, the app seems targeted at European users, and circumstantial evidence suggests Romanian devs may be behind it.

All this sounds bad, but not that different from plenty of malware, right? Well, BingoMod, it seems, is a little paranoid about being found out. Besides the numerous tricks it uses to evade automatic detection, it’s got a doomsday weapon it’s ready to deploy after achieving its goals and wiping your accounts clean: it wipes your phone.

While BingoMod supports a built-in command for wiping data, that’s limited to external storage, which isn’t going to get it very far. Instead, Cleafy’s team suspects that the people controlling the malware remotely are manually executing these wipes when they’re done stealing from you, just like you’d do yourself before getting rid of an old phone. Presumably, that’s in the goal of destroying evidence of the hack — losing your personal data is just collateral damage.

That’s a fresh kind of awful that we would be very happy never having to deal with. The good news is that you really don’t have to. Get your apps from official sources, don’t install software from sketchy text messages, and you’ll be well on your way to not losing all your data in a malware attack.

Had an interesting thing happen earlier in the day and that is that every time I opened Chrome my camera notification came on.

I’ll save the long an unnecessary SEO improving pages of why you should be scared of the camera kicking on…

I killed all my chrome tabs, killed chrome, and every time I would come in the camera notification would kick back on.

Earlier in the day I had accessed a web page sent by car insurance people that had me line my car up and take pictures of some damage, and I highly suspect that was where this started as I had to answer yes to allowing Chrome to access the camera to take photos.

Why Chrome kept accessing the camera even with all the tabs closed, I don’t know. It has no need for it other than to report body damage to my car.

There seemed to be no extensions running, no weirdness, but no matter what I do the camera active icon pops on when opening chrome. To disable / calm my paranoia down, I went into app permissions and revoked the camera permission I had granted it earlier in the day and now things are back to normal.

Or my phone’s been hacked because T-Mobile wouldn’t get me the critical firmware update until yesterday.

Whatever the case, the fix appears to be to manually revoke permissions.

Chrome triggering camera? How it happened to me / fix by Paul E King first appeared on Pocketables.

Update, August 2, 2024 (04:10 PM ET): Google has reached out to us with a message of reassurance:

Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.

Of course, the key word there is “known” versions, and as the team at Cleafy reported, BingoMod is still evolving and working on new tricks to evade detection. Play Protect isn’t going to rest on its laurels, either, so expect this cat-and-mouse game to continue. And for your own part, keep using best practices when it comes to sourcing your apps.

Original article, August 2, 2024 (11:44 AM ET): Getting malware on your smartphone is just a recipe for a bad day, but even within that misery there’s a spectrum of how awful things will be. Some malware may be interested in exploiting its position on your device to send spam texts or mine crypto. But the really dangerous stuff just wants to straight-up steal from you, and the example we’re checking out today has a particularly nasty going-away present for your phone when it’s done.

A remote access trojan (RAT) dubbed BingoMod was first spotted back in May by the researchers at Cleafy (via BleepingComputer). The software is largely spread via SMS-based phishing, where it masquerades as a security tool — one of the icons the app dresses itself up with is that from AVG antivirus. Once on your phone, it requests access to Android Accessibility Services, which it uses to get its hooks in for remotely controlling your device.

Once established, the malware’s goal is setting up money transfers. It steals login data with a keylogger, and confirmation codes by intercepting SMS. And then when it has the credentials and access it needs, the threat actor controlling the malware can start transferring all your savings away. With language support for English, Romanian, and Italian, the app seems targeted at European users, and circumstantial evidence suggests Romanian devs may be behind it.

All this sounds bad, but not that different from plenty of malware, right? Well, BingoMod, it seems, is a little paranoid about being found out. Besides the numerous tricks it uses to evade automatic detection, it’s got a doomsday weapon it’s ready to deploy after achieving its goals and wiping your accounts clean: it wipes your phone.

While BingoMod supports a built-in command for wiping data, that’s limited to external storage, which isn’t going to get it very far. Instead, Cleafy’s team suspects that the people controlling the malware remotely are manually executing these wipes when they’re done stealing from you, just like you’d do yourself before getting rid of an old phone. Presumably, that’s in the goal of destroying evidence of the hack — losing your personal data is just collateral damage.

That’s a fresh kind of awful that we would be very happy never having to deal with. The good news is that you really don’t have to. Get your apps from official sources, don’t install software from sketchy text messages, and you’ll be well on your way to not losing all your data in a malware attack.

Had an interesting thing happen earlier in the day and that is that every time I opened Chrome my camera notification came on.

I’ll save the long an unnecessary SEO improving pages of why you should be scared of the camera kicking on…

I killed all my chrome tabs, killed chrome, and every time I would come in the camera notification would kick back on.

Earlier in the day I had accessed a web page sent by car insurance people that had me line my car up and take pictures of some damage, and I highly suspect that was where this started as I had to answer yes to allowing Chrome to access the camera to take photos.

Why Chrome kept accessing the camera even with all the tabs closed, I don’t know. It has no need for it other than to report body damage to my car.

There seemed to be no extensions running, no weirdness, but no matter what I do the camera active icon pops on when opening chrome. To disable / calm my paranoia down, I went into app permissions and revoked the camera permission I had granted it earlier in the day and now things are back to normal.

Or my phone’s been hacked because T-Mobile wouldn’t get me the critical firmware update until yesterday.

Whatever the case, the fix appears to be to manually revoke permissions.

Chrome triggering camera? How it happened to me / fix by Paul E King first appeared on Pocketables.

Smartphones have become ubiquitous tools, seamlessly integrated into our daily routines. From social connections and communication to mobile payments and financial management, these devices store ...

The post Android 15 Takes Mobile Security to the Next Level: Protecting Your Phone from Theft appeared first on Gizchina.com.

Secure Folder is one of the more underrated features on Samsung phones, offering users a PIN-protected folder to store private files. Unfortunately, it seems like some users can’t actually delete the Secure Folder app following the One UI 6.1 update.

A Samsung representative confirmed this issue on the Korean Community forum (h/t: Sammy Fans). The representative noted that the inability to delete Secure Folder was related to a “Google security policy” that was applied to One UI 6.1. The issue affects version 1.9.10.27 of the Secure Folder app.

Samsung also confirmed that this issue affected the Galaxy S23, Galaxy S23 FE, Galaxy Z Fold 5, Galaxy Z Flip 5, and the Galaxy Tab S9 series updated to One UI 6.1.

The company noted that it plans to update Secure Folder via the Galaxy Store so users can delete it once again. So you’ll just have to wait for this update, although there’s no word on a release timeline.

This isn’t the biggest issue in the world, as you don’t have to use Secure Folder in the first place. But we can understand why a few people might be annoyed be the inability to delete a pre-installed app, especially if they’re using an alternative private folder solution.

Secure Folder is one of the more underrated features on Samsung phones, offering users a PIN-protected folder to store private files. Unfortunately, it seems like some users can’t actually delete the Secure Folder app following the One UI 6.1 update.

A Samsung representative confirmed this issue on the Korean Community forum (h/t: Sammy Fans). The representative noted that the inability to delete Secure Folder was related to a “Google security policy” that was applied to One UI 6.1. The issue affects version 1.9.10.27 of the Secure Folder app.