App security varies by location

Plus, a new malware is on the rise, and a new hack likely affects a third of all Australians.

A new study on the privacy policies of thousands of internationally popular apps has revealed that some of those policies vary by location. Out of 5,684 apps analyzed, 103 had policy differences based on country. Users in areas without data protection regulations such as the GDPR and the California Consumer Privacy Act may find themselves at a greater privacy risk. The study also found that 127 apps varied in what they were allowed to access on users’ devices, while 118 apps varied in the number of ad trackers it included. 

“On one hand,” commented Avast Security Evangelist Luis Corrons, “this shows how legislation that protects users’ privacy is beneficial and actually has an effect on the security of the citizens under it. On the other hand, it is clear that there is a huge transparency problem. There is no easy way to know how we are being tracked by apps, what kind of information they get from us, or how it is being used.” You can read more details from the study at Ars Technica

WhatsApp patches remote execution exploit

Meta-owned WhatsApp released two security updates to address flaws that could lead to remote code execution. The vulnerabilities concern critical integer overflows and underflows, and they affect both Android and iOS versions of the messaging app. One of the bugs could be exploited in an “established video call,” and the other after receiving a “crafted video file.” A spokesperson for WhatsApp said that the company had discovered the bugs itself and there was no evidence of previous exploitation. See The Hacker News for more on this story.

Fast Company Apple News account hacked

Apple has disabled Fast Company’s channel on its news outlet after it had been hacked and used to send obscene push notifications containing racial slurs. Fast Company confirmed the hack and commented, “The messages are vile and are not in line with the content of Fast Company. We are investigating the situation and have suspended the feed and shut down until we are certain the situation has been resolved.” Before the website was shut down, one user took credit for the hack in a posting, saying they got in thanks to a password that was shared across many accounts. For more on this, see The Verge.

Erbium infostealer sold as MaaS for premium price

At a cost of $100 a month or thousands of dollars for a year’s license, “Erbium” is an information stealer being sold on the dark web as a malware-as-a-service (MaaS). It uses a Telegram bot to deliver the malware, and it is spread via drive-by-downloads, posing as cracked game hacks. It is distributed through a free file hosting service, spear-phishing, malvertising, exploit kits, and malware loaders. Erbium targets browser data such as logins, cookies, history, and cold wallet data, as well as information from Steam, Discord, FTP clients, Telegram, and desktop cold wallets. To learn more, see SecurityWeek.

Optus cyberattack likely affects 37% of Australians

Australia’s second-largest telecom company, Optus, has been hacked; and while the full details are not yet known, CEO Kelly Bayer Rosmarin commented that the worst-case scenario is 9.8 million customers affected. She said the hackers did not access any financial data or passwords, but the breached information included names, birthdays, phone numbers, and email addresses. Some records included driver’s licenses or passport numbers. Bayer Rosmarin said the company will inform all customers about the attack, starting with those who had the largest amount of data accessed. See CSO for more.

This week’s must-read on the Avast blog 

Posing as a friend is a particularly good move because we all want to help out the people we love — and, a lot of the time, people we once loved. Here's how to stay safe.

--> -->