People get paid half of the market salary if they stay at the same company for a long time.

How does Android sandbox work? What is the role of SDK in Android? What is the SDK runtime?

Google is working on something called the "Privacy Sandbox" for Android, and it has a special part called the "SDK Runtime." But what does all this jargon really mean for regular folks like us?

Imagine your smartphone is like a little city, and inside this city, there are many different buildings. These buildings are like the apps you use, such as Facebook, Instagram, or games. Now, these apps sometimes need to talk to each other or share information. They do this using something called an "SDK," which is like a messenger that helps them communicate.

Here's the problem: sometimes these messengers (SDKs) have too much power and can access your personal information without permission. It's like someone snooping around your house without your knowledge. Not cool, right?

So, Google came up with a solution called the "SDK Runtime." It's like putting these messengers in a special box with a lock on it. This box keeps them separate from your personal stuff and makes sure they only access what they're supposed to.

A hacker is trying to find and exploit a vulnerability in a PlayStation 4 (PS4) console.

The hacker's goal is to gain unauthorized access to the system and potentially execute malicious code.The hacker starts by researching the PS4's hardware and software architecture, specifically focusing on the CPU and operating system (Orbis OS). They discover that the PS4 uses a custom AMD x86-64 CPU and that the Orbis OS is based on FreeBSD 9.0.Next, the hacker looks for potential vulnerabilities in the PS4's software. They identify WebKit, an open-source layout engine used by the PS4's browser, as a potential target. They find a documented vulnerability in WebKit that can be exploited to give them read and write access to memory locations.To exploit this vulnerability, the hacker needs to find a way to copy their payload into memory and execute it. They use stack smashing techniques, specifically ROP (Return-Oriented Programming), to chain together short snippets of code (gadgets) that will allow them to jump to specific memory locations and execute their payload.However, the PS4's kernel implements ASLR (Address Space Layout Randomization), which makes it difficult to predict where specific modules will be loaded in memory. To overcome this, the hacker decides to use dynamic ROP chains and calculates the addresses of their gadgets before triggering execution. They also cross-check the addresses of their gadgets before execution to increase reliability.The hacker then interacts with the kernel using system calls to obtain information about processes and modules. They use brute force methods to analyze system calls and identify potential vulnerabilities. They also examine the file system to see what they can access and manipulate.

PHP code hidden in image files to evade detection by security tools

The researchers found two samples of this attack in the wild. 

One sample was a JPEG image that contained a base64 encoded string. The decoded string contained a simple PHP script. The attack works by embedding PHP code in the EXIF metadata of an image file.

The other sample was a PNG image that contained a PHP script that was embedded in the image's comment section. The PHP script was executed when the image was viewed in a web browser.

Both of these samples were malicious and could have been used to compromise a vulnerable website. This code can then be used to steal sensitive data, install malware, or disrupt the operation of a web application.

A time comes when the warnings stop.  

1 SIGNS THAT ALLAH IS ANGRY WITH YOU | MUFTI MENK

A Method Of Attack On Mobile Phones That Can Be Carried Out Using A Normal Computer

AdaptiveMobile Security discovered a method of attack on mobile phones that can be carried out using a normal computer and a dirt-cheap USB modem. Whereas some older methods of cellular surveillance required special equipment and a telecom operating license, takes advantage of a vulnerability found in SIM cards.

Most SIM cards released since the early 2000s, including eSIM, feature a carrier menu. This menu includes tasks such as Balance Check, Recharge, Technical Support, and sometimes extras such as Weather, or even Horoscope, and so on. Old phones had it right in the main menu. iOS buries it deep in the Settings (under SIM Application), and in Android smartphones it’s a standalone app called SIM Toolkit.

The menu is essentially an app — or more precisely, several apps with the general name SIM Toolkit (STK) — but these programs do not run on the phone itself, but on the SIM card.

Remember that your SIM card is in fact a tiny computer with its own operating system and programs. STK responds to external commands, such as buttons pressed on the carrier menu, and makes the phone perform certain actions, such as sending SMS messages or USSD commands.

The attack begins with an SMS message containing a set of instructions for the SIM card. Following these instructions, the SIM card queries the mobile phone for its serial number and the Cell ID of the base station in whose coverage zone the subscriber is located, and sends an SMS response with this information to the attacker’s number.

Base station coordinates are known (and even available online), so the Cell ID can be used to determine the location of the subscriber within several hundred meters. Location-based services in particular rely on the same principle for determining location without satellite assistance, for example, indoors or when GPS is turned off.

All fiddling with the hacked SIM card is totally invisible to the user. Neither incoming SMS messages with commands, nor replies with device location data are displayed in the Messages app, so victims are not even aware that they are being spied on.

The vulnerability opens up numerous potential attack scenarios — criminals can transfer money by SMS to a bank number, call premium-rate short numbers, open phishing pages in the browser, or download Trojans.

AI to predict the future

Simjacker, WIBattack,  SS7 attacks or social engineering such as SIM swapping

WIBattack, is identical to Simjacker, SMS-based attack that can allow malicious actors to track users' devices by abusing little-known apps that are running on SIM cards.

They target different apps running on the SIM cards.

Mainly, Simjacker runs commands against the S@T Browser app, while WIBattack sends commands to the (WIB) app.

Both are Java applets that mobile telcos install on SIM cards they provide to their customers. The purpose of these apps is to allow remote management for customer devices and their mobile subscriptions.

In the case of both S@T and WIB apps, attackers can send a specially formatted binary SMS (called an OTA SMS) that will execute STK (SIM Toolkit) instructions on SIM cards on which telcos did not enable special security features.

Just like the Simjacker attack, they can allow a threat actor to track a victim's location or start phone calls and listen to nearby conversations.

The SRLabs team, developed two apps named SIMTester and SnoopSnitch.

The first is a desktop app that users can install and test their SIM cards for security flaws.

The second is an Android app that runs on rooted devices with Qualcomm chipsets and which can test smartphones for various SIM, mobile network, and OS security flaws.

Researchers used telemetry from both apps to investigate the breadth of the Simjacker and WIBattack vulnerabilities.

But even if the two SIM card apps are installed, the SRLabs team said it does not automatically mean the SIM card is vulnerable. To be vulnerable and exploitable, attackers would need to have the ability to send OTA SMS messages to the two apps.

In the context of mobile network hacks, Simjacker would appear less attractive to criminals than SS7 attacks or social engineering such as SIM swapping

You're more vulnerable to your mobile telco's employees assiginign your phone number to a hacker, rather than being bombarded with shady OTA SMS messages.

Source:ZDNet

So VirusTotal. Last week they published a report titled "Deception at Scale," where they laid out the terrain of the malware samples that are uploaded to them more or less constantly to be analyzed. They sit in the perfect place to see what's going on. They've got great scope.

I've explained in the past that signing my own executables, I've discovered the hard way, because people were saying, hey, Windows is saying this is not safe, you've got a virus, it's like, no, I don't. Actually, it didn't say that. It just said this is, you know, you don't have any reputation here. So the point is that signing my executables was not sufficient proof of the integrity of my apps to bypass various of what are now hair-triggered malware cautions.

But VirusTotal reported among other things, get this, that fully 87% of the more than one million malicious samples which were signed at the time they were uploaded to VirusTotal since the start of last year, January 2021, contained a valid signature. 87% had a valid signature, those that were signed. So what that tells us is that signing code no longer means much. It's necessary, but not sufficient. The bad guys are arranging to obtain code-signing credentials, just like any other legitimate code publisher would. Just like I do.

So moving forward, the only thing that can be used, that is, can be relied upon, is the reputation of the hash of a given executable that is earned over time. Any new hash will need to start over from scratch earning the reputation that that specific exact code that it's the hash of is trustworthy.

And there was another little interesting tidbit. If you care to protect yourself somewhat by inspecting the Certificate Authority who issued the Authenticode certificate that was used to sign a program which you're considering running, it's worth noting that more than half, actually more than 58% of the most-often-abused code-signing certificates were all issued by just one company, a Certificate Authority known as Sectigo. 

And if the name Sectigo isn't ringing any bells, it's probably because they renamed themselves after their repeated conduct spoiled and soiled their previous name, which was Comodo. We've talked about Comodo quite a bit in the past, all the different mistakes they made like allowing people to create their own certificates through problems in their web interface and giving certificate minting authentication to people who didn't warrant it and so forth.

Anyway, I imagine that they're the favorite of malware authors mostly because their certs are less expensive than the competition. And really it's not their fault that VirusTotal sees most malware signed by their certs, since anyone can purchase a code-signing certificate from any certificate authority, so going to go with the cheapest. 

I don't, but I don't want to be signed by Comodo, now named Sectigo. And the whole thing is roughly analogous to what Let's Encrypt did to TLS connections; right? Once upon a time having a web server certificate meant something. Not anymore. Today, everyone needs to have one, and they mean nothing because they're just being minted by automation based on the domain of the server that they're sitting behind. So okay.

Anyway, VirusTotal also revealed that the top three most-often-spoofed programs were Skype, Adobe Reader, and VLC Player. Malware is masquerading as those three utilities - one of those three, Skype, Adobe Reader, and VLC as the top three - as basically, obviously, as a means to abuse the well-earned trust that they've earned, that those apps have earned with users everywhere.

And while those are the top three, the top 10 are rounded out by 7-Zip, TeamViewer, CCleaner, Edge, Steam, Zoom, and WhatsApp. So, yeah, the top of the popular apps that people are needing now to grab wherever they are.

So VirusTotal said in their report last week: "One of the simplest social engineering tricks we've seen involves making malware look like a legitimate program. The icon of these programs is a critical feature used to convince victims that these programs are legitimate." Just the icon. Of course, no one is surprised that threat actors employ a variety of approaches to compromise endpoints by tricking unwitting users into downloading and running seemingly trusted executables.

The other way this is achieved is by taking advantage of genuine domains, at least the top-level or second-level domains, to get around IP-based firewall defenses. Some of the most abused domains which VirusTotal has seen are discordapp.com, squarespace.com, amazonaws.com, mediafire.com, and qq.com. In total, more than 2.5 million suspicious files were downloaded from 101 domains belonging to Alexa's top 1,000 websites. In other words, 10% of the top 100 website domains have been used as sources for malware. And the misuse of Discord has been well-documented, with that platform's content delivery network becoming a fertile ground for hosting malware alongside Telegram, while also offering a perfect communications hub for attackers.

So ultimately, checking anything that's downloaded which might be suspicious against VirusTotal, I think, is the best thing anyone can do. As I mentioned a while ago, back when I was needing to bring old DOS machines onto my network in order to debug SpinRite on them, I was sometimes needing to go to well-off-the-beaten-path driver repositories to locate old drivers for old network adapters. Driver repositories are classic sources of malware.

So in every case, I ran anything that I downloaded past VirusTotal to make sure that it didn't raise any alarms. And normally you get like one or two, some weird obscure, you know, VirusTotal I think scans across or against as many as 75 different virus, you know, antivirus engines. And you'll typically get a couple reds, misfires, false positives from some scanners you've probably never heard of. And so that's not a problem. It's when you see like 20 or 30 of them lighting up red that it's like, okay, do not click this thing so that it's able to run. And stepping back from all this a little bit, it's so annoying that so much energy is being spent holding back the forces of darkness. Look at how much we put in now to doing that. But on balance it's worth it because what can be done with computers today is truly amazing.

This is what I love, but you know what?

Sometimes, the things you love, don't always love you back.

And you can give, and you can give, and you can give, and you can give, and you can give, sometimes you get nothing in return.

Old is Gold, Can be hacked only by sms

There is an application that comes installed on a variety of SIM cards, including eSIM, as part of SIM Tool Kit (STK) and has been designed to let mobile carriers provide some basic services, subscriptions, and value-added services over-the-air to their customers.

This application contains a series of STK instructions—such as send short message, setup call, launch browser, provide local data, run at command, and send data—that can be triggered just by sending an SMS to a device, the software offers an execution environment to run malicious commands on mobile phones as well.

These SIM cards are installed in Apple, ZTE, Motorola, Samsung, Google, Huawei and even IoT devices

What can be done with the application? 1 Retrieving targeted device' location and IMEI information, 2 Spreading mis-information by sending fake messages on behalf of victims, 3 Performing premium-rate scams by dialing premium-rate numbers, 4 Spying on victims' surroundings by instructing the device to call the attacker's phone number, 5 Spreading malware by forcing victim's phone browser to open a malicious web page, 6 Performing denial of service attacks by disabling the SIM card, and 7 Retrieving other information like language, radio type, battery level, etc.