Security News

Covid-19 tracking apps are easy targets for hackers

Avast Security News Team, 10 July 2020

Plus more newsbytes of the week, including more TikTok security concerns and a major data breach affecting millions of online gamblers

In their haste to bring COVID-19 contact tracing apps to market, many developers around the world have skimped on security, giving hackers easy targets from which they can steal all kinds of sensitive information, such as the names of the sick, national ID numbers, location data, and more. Countries have been deploying the tracking apps in an effort to identify disease hotspots and limit the spread of the virus while they ease lockdown orders. Qatar, India, the U.K., and the Netherlands are just some of the nations who learned their tracking apps had security flaws only after they’d been put into use. 

The U.S. is just starting to use contact tracing apps, but instead of deploying one national app, each state must create their own. Working with low cybersecurity budgets, states are beginning to do just that but with mixed results. Politico reported that public debate centers on the question of who should have access to the collected information. The constant revelations of weak cybersecurity is only exacerbating the problem. Shortly after North Dakota released its Care19 contact tracing app, it was discovered that user location data was being shared with marketing service Foursquare. Members of Congress have started submitting bills focused on app legislation, covering data security and privacy, but this deeply divisive topic is still in its nascent stages on Capitol Hill. 

Avast security evangelist Luis Corrons feels that new app laws are beside the point. “The solution is already here,” Corrons said, “and there is no need for extra legislation. The success of these apps relies on the people using them.” As for the right software to use, Corrons points to the joint venture between two tech giants. “Apple and Google worked together to create an API that can create contact tracing apps. It requires user consent, works with Bluetooth, is anonymous, and does not store personal information on any server, protecting user privacy all the time. And it works for both Android and iOS.” It remains to be seen whether or not any of the states’ will put the Apple-Google API to use. 

This week’s stat

53

The number of countries that will soon be required to secure connected vehicles against cyberattacks under a new United Nations regulation.

TikTok iPhone app reads your clipboard

As security researchers were beta testing Apple’s iOS 14, they learned that the popular Chinese social media app TikTok can see whatever is saved on the user’s clipboard, that system-wide temporary holding location for any files that are cut and pasted. According to Computing, the researchers learned about the app’s secret spying due to a new security protocol in the upcoming iOS 14 that notifies users when any app accesses the clipboard. Earlier this year, researchers discovered that TikTok accessed the clipboard on Android devices, which the app developer claimed was unintentional and a mistake, a statement that now seems dubious. Some organizations such as the U.S. military has banned the use of the app, categorizing it as a security threat

Tech giants protest new anti-privacy law in Hong Kong

New legislation in Hong Kong is being seen as a measure to intimidate free speech, and in protest some of the largest online entities have banded together in unity to stop processing data requests from the Special Administrative Region (SAR) of China. The companies WhatsApp, Telegram, Facebook, Twitter, LinkedIn, and Zoom have all suspended cooperation with Hong Kong police until an international consensus on how to react has been reached. According to InfoSecurity, the vaguely-worded new law gives Chinese authorities the power to punish acts of “terrorist activities” and “subversion” with life imprisonment or death, as well as the right to search the premises of any property without a warrant. 

This week’s quote

"Details exposed from one breach could be re-used to compromise accounts used elsewhere. The message is simple – consumers should use different passwords for every account, and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised,” warns Rick Holland, CISO at Digital Shadows, in relation to securing users against breached credentials. Read more here

Major card skimming scheme linked to North Korean hackers

Researchers believe the North Korean nation-state Lazarus group, also known as Hidden Cobra, is most likely the source of a wide-reaching credit card skimming scheme that has been going on for at least a year. Bleeping Computer reported that the code and domains associated with the scheme come straight from Hidden Cobra’s playbook, though it hasn’t been confirmed that the hacking group orchestrated the plan. The victimized online shops where the skimming malware was planted include Claires, Wongs Jewellers, Focus Camera, Paper Source, Jit Truck Parts, CBD Armour, and many others.  

Clubillion leaks personal data of millions of users

Casino app Clubillion suffered a massive data breach, as discovered by researchers doing a web mapping project when they stumbled upon an unsecured Elasticseach database hosted on Amazon Web Services (AWS). Not only did the database contain millions of user records, but it gained 200 million new records every day, sometimes considerably more, reported InfoSecurity. The records included every action taken by the players (winning, losing, updating account, etc.) as well as email addresses, private messages, IP addresses, and more. The researchers alerted Clubillion of the breach on March 23. A couple of weeks later, the open database was secured. 

This week’s ‘must-read’ on The Avast Blog

How does a banking Trojan manage to sneak by Google security so it can pose on the Google Play Store as a genuine app? Learn how the Cerberus banking Trojan did just that by pretending to be a currency converter and subsequently got downloaded over 10,000 times before Avast discovered and reported the malware to Google


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN. Get advertisers off your back and disguise your online identity for greater privacy with Avast AntiTrack.