On Monday, Apple backported the patch for CVE-2024-23296 to the iOS 16
branch and has fixed another hole Apple QA missed (yet again) in
MarketplaceKit which enabled maliciously crafted webpages to distribute a
script that tracks iOS users on other webpages. (CVE-2024-27852)

Users running the iOS and iPadOS 17 branch can grab the latest update that
fixes many different vulnerabilities. Among them is CVE-2024-27852, a bug
in the MarketplaceKit that could allow sites to track iOS users.

Even worse than iOS, the update for macOS Sonoma carries fixes for 22
vulnerabilities that Apple QA (yet again) forgot to test for, where there
were also a handful of updates for macOS Ventura and Monterey that Apple
missed (yet again) in QA.

The fix for the RTKit zero-day (CVE-2024-23296) - which has been patched in
iOS and iPadOS 17.4, macOS Sonoma, watchOS, tvOS and visionOS in March 2024
after reports of in-the-wild exploitation - has been backported only to
Ventura, iOS 16.7.8 and iPadOS 16.7.8 (for now).

In March 2023, Apple has introduced a new URI scheme in iOS 17.4 to allow
EU users to install alternative (third-party) marketplace apps from
developers' websites. Unfortunately, faults in the scheme's implementation
allow it to be misused for cross-site tracking - as Talal Haj Bakry and
Tommy Mysk of Mysk Inc. discovered.

The newest iOS/iPadOS update for the most recent branch will fix this
vulnerability that Apple missed (yet again); but the researchers also
warned users in the EU not to delete their alternative marketplace apps,
because the update breaks alternative marketplace app re-installation.

"MarketplaceKit now generates a different client_id every time it is
called. Now there's no way for alternative marketplace developers to
identify users who have already purchased the marketplace app," they
explained.

On 2024-05-15, Andrew <andrew@spam.net> wrote:
> On Monday, Apple backported the patch for CVE-2024-23296 to the iOS 16
> branch and has fixed another hole Apple QA missed (yet again)

New Brokewell malware takes over Android devices, steals data

Security researchers have discovered a new Android banking trojan they
named Brokewell that can capture every event on the device, from touches
and information displayed to text input and the applications the user
launches.

The malware is delivered through a fake Google Chrome update that is
shown while using the web browser. Brokewell is under active development
and features a mix of extensive device takeover and remote control
capabilities.

Brokewell details

Researchers at fraud risk company ThreatFabric found Brokewell after
investigating a fake Chrome update page that dropped a payload, a common
method for tricking unsuspecting users into installing malware.

Looking at past campaigns, the researchers found that Brokewell had been
used before to target "buy now, pay later" financial services (e.g.
Klarna) and masquarading as an Austrian digital authentication
application called ID Austria.

Brokewell's main capabilities are to steal data and offer remote control
to attackers.

Data stealing:

- Mimics the login screens of targeted applications to steal credentials
(overlay attacks).
- Uses its own WebView to intercept and extract cookies after a user
logs into a legitimate site.
- Captures the victim's interaction with the device, including taps,
swipes, and text inputs, to steal sensitive data displayed or entered
on the device.
- Gathers hardware and software details about the device.
- Retrieves the call logs.
- Determines the physical location of the device.
- Captures audio using the device's microphone.

Device takeover:

- Allows the attacker to see the device's screen in real-time (screen
streaming).
- Executes touch and swipe gestures remotely on the infected device.
- Allows remote clicking on specified screen elements or coordinates.
- Enables remote scrolling within elements and typing text into
specified fields.
- Simulates physical button presses like Back, Home, and Recents.
- Activates the device's screen remotely to make any info available for
capture.
- Adjusts settings like brightness and volume all the way down to zero.

New threat actor and loader

ThreatFabric reports that the developer behind Brokewell is an
individual calling themselves Baron Samedit, who for at least two years
had been selling tools for checking stolen accounts.

The researchers discovered another tool called "Brokewell Android
Loader," also developed by Samedit. The tool was hosted on one of the
servers acting as command and control server for Brokewell and it is
used by multiple cybercriminals.

Interestingly, this loader can bypass the restrictions Google introduced
in Android 13 and later to prevent abuse of Accessibility Service for
side-loaded apps (APKs).

This bypass has been an issue since mid-2022 and became a bigger problem
in late 2023 with the availability of dropper-as-a-service (DaaS)
operations offering it as part of their service, as well as malware
incorporating the techniques into their custom loaders.

As highlighted with Brokewell, loaders that bypass restrictions to
prevent granting Accessibility Service access to APKs downloaded from
shady sources have now become common and widely deployed in the wild.

Security researchers warn that device takeover capabilities such as
those avaialble in the Brokewell banker for Android are in high demand
among cybercriminals because it allows them to perform the fraud from
the victim's device, thus evading fraud evaluation and detection tools.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

On 15.05.24 04:54, Jolly Roger wrote:
> On 2024-05-15, Andrew <andrew@spam.net> wrote:
>> On Monday, Apple backported the patch for CVE-2024-23296 to the iOS 16
>> branch and has fixed another hole Apple QA missed (yet again)
>
> New Brokewell malware takes over Android devices, steals data

Do you think you will ever learn to keep your fingers still to avoid
feeding this Troll?

--
"Alea iacta est." (Julius Caesar)

Bear in mind I stated a fact that was relevant to the subject line,
and which was temporal and which affected those in the newsgroup line.

You're welcome to filter me out but if you do, you lose those facts.

Jolly Roger and Joerg Lorenz only provided negative value in noise.
a. Joerg I don't see but he's nothing but a jughead of no value.
b. Jolly Roger is using classic whataboutism to deflect from the subject
<https://en.wikipedia.org/wiki/Whataboutism>
"Whataboutism or whataboutery (as in "what about...?") is a
pejorative for the strategy of responding to an accusation
with a counter-accusation instead of a defense of the
original accusation. From a logical and argumentative point
of view, whataboutism is considered a variant of the tu-quoque
pattern (Latin 'you too', term for a counter-accusation),
which is a subtype of the ad-hominem argument.
The communication intent is often to distract from the content
of a topic (red herring). "

What Jolly Roger is trying to do is distract the topic away from
the fact that the data was correct about the MarketPlaceKit holes.

Jolly Roger used his classic ad hominem attack to deflect from that.

It's classic because Jolly Roger has no defense to the facts.
And Joerg... well... everyone has him filtered out already, don't they?