Droid Tools

Tag: vulnerability

  • WhatsApp warning: A simple trick compromised 3.5 billion accounts

    WhatsApp warning: A simple trick compromised 3.5 billion accounts

    There may be hidden risks to billions of WhatsApp accounts. According to a recent analysis, there are major security flaws in the privacy of the communications that hackers might take advantage of.

    With merely their phone number, finding someone on WhatsApp is very simple for many users, and the frequency of searches appears to be limitless. However, according to a recent analysis, this has turned into a significant security flaw that leaves 3.5 billion users of the messaging program vulnerable to assault.

    Big WhatsApp security risk

    Through a study carried out between December 2024 and April 2025, security researchers at the University of Vienna in Austria found the vulnerability. The primary cause of the problem is WhatsApp’s long-standing built-in capability for locating and adding contacts.

    In theory, the app will display whether a number has an account if you add it and then search it up. Additionally, anyone with an active phone number is able to send messages to public accounts and view the profile.

    WhatsApp warning

    A program known as “libphonegen,” which creates combinations of account numbers from other nations that may be registered on WhatsApp, was used by the team to carry out this procedure.

    They were able to produce 63 billion possible accounts and 100 million numbers each hour in their study. 3.5 billion accounts were taken out of those. Of these, 29% had written profiles with sensitive information including political and religious affiliations and links to other social media accounts, while 57% had their profile images made public.

    The vulnerability Is alarming

    The results show how this WhatsApp security vulnerability could be exploited by malevolent parties, including fraudsters and attackers. For example, the encryption in the messaging app is weakened since public and identification keys are reusable rather than unique. Attackers might intercept and decrypt messages if security was compromised.

    The identical WhatsApp vulnerability was discovered in 2017, but Meta has not been able to fix the flaw.

    Following the discoveries, Meta was contacted by the security research group. The company verified that it implemented system modifications in October that restrict the number of account searches that may be done within the app.

    How to protect yourself

    Users with public profiles, however, are still vulnerable because others can still read their profile images and text. Making their WhatsApp profile private is advised for those who are worried about security and privacy.

    Additionally, Meta has added new security and privacy features. A monthly message cap and automatically muting calls and messages from strangers are two of these that are presently being testing.

  • BadBazaar Android malware linked to Chinese cyberspies

    BadBazaar Android malware linked to Chinese cyberspies

    Unknown Android spyware called “BadBazaar” has been found to target China’s ethnic and religious minorities, particularly the Uyghurs in Xinjiang.

    Due to their cultural divergence from traditional eastern Chinese values, the central Chinese government has subjected the 13 million-strong Uyghur Muslim minority to extreme oppression.

    The new spyware was originally discovered by MalwareHunterTeam and linked to Bahamut in VirusTotal detections.

    BadBazaar spyware

    Lookout performed more investigation on the malware and discovered that it was brand-new spyware that was being used by APT15, a state-sponsored hacking outfit, in its 2020 attacks against Uyghurs (aka “Pitty Tiger).

    Lookout also noticed a second campaign employing updated versions of the spyware known as “Moonshine,” which CitizenLab first came up in 2019 when using it against Tibetan organizations.

    BadBazaar malware

    Since 2018, the BadBazaar spyware has promoted itself on communication channels frequented by the targeted ethnic group by infecting Uyghurs using at least 111 different apps.

    The impersonated apps fall under a variety of categories, including dictionaries, tools for religious practice, battery savers, and media players.

    Since Google Play, Android’s official app store, has never seen any record of these apps, they are most likely distributed through rogue websites or unreliable third-party stores.

    It’s interesting that there is only one instance of an iOS app on the Apple App Store that communicates with the malicious C2, but it merely sends the device UDID and doesn’t have spyware functionality.

    BadBazaar’s data-collecting capabilities include the following:

    • Precise location
    • List of installed apps
    • Call logs with geolocation data
    • Contacts list
    • SMS
    • Complete device info
    • WiFi info
    • Phone call recording
    • Take pictures
    • Exfiltrate files or databases
    • Access folders of high-interest (images, IM app logs, chat history, etc.)

    Looking into the C2 infrastructure, which exposes some of the admin panels and the GPS coordinates of test devices due to errors, Lookout analysts found connections to the Chinese defense contractor Xi’an Tian He Defense Technology.

    BadBazaar malware apps
    Only a few of the BadBazaar apps promoted to Uyghurs (Lookout)
    BadBazaar malware infected apps
    Sample of apps carrying Moonshine spyware (Lookout)

    Moonshine variants

    Lookout researchers began to discover a new operation in July 2022 that uses 50 apps to push users new versions of the “Moonshine” spyware.

    These programs are advertised on Telegram channels for Uyghur speakers, where dishonest users recommend them to other users as reliable software.

    Examples of programs that contain the spyware Moonshine (Lookout)
    The creators of the more recent virus have added additional modules to increase the tool’s capacity for spying, and it is still modular.

    Network activity, IP addresses, hardware details, and other information are among the data that Moonshine takes from hacked devices.

    BadBazaar data collection
    Information collected by Moonshine (Lookout)

    The C2 commands supported by the malware are:

    • Call recording
    • Contact collection
    • Retrieve files from a location specified by the C2
    • Collect device location data
    • Exfiltrate SMS messages
    • Camera capture
    • Microphone recording
    • Establish SOCKS proxy
    • Collect WeChat data

    Lookout has found evidence that the authors of the new Moonshine version are Chinese, as both code comments and server-side API documentation are written in simplified Chinese.

    “While Lookout researchers could not connect the malware client or infrastructure to a specific technology company, the malware client is a well-built and full-featured surveillance tool that would have likely required substantial resources.”

    Lookout.

    This report indicates that surveillance of Chinese minorities continues unabated despite the outcry from international human rights protection organizations.

  • Autolycos installed 3 million times from Google Play Store

    Autolycos installed 3 million times from Google Play Store

    Over 3,000,000 people downloaded a new Android malware family from the Google Play Store that discreetly subscribes users to premium services.

    Maxime Ingrao, an Evina security researcher, found the malware, known as “Autolycos,” in at least eight Android applications, of which two are still downloadable from the Google Play Store as of this writing.

    The two apps still available are named ‘Funny Camera’ by KellyTech, which has over 500,000 installations, and ‘Razer Keyboard & Theme’ by rxcheldiolola, which counts over 50,000 installs on the Play Store.

    Autolycos android malware

    The remaining six applications have been removed from the Google Play Store, but those who still have them installed risk being charged with costly subscriptions by the malware’s activities.

    • Vlog Star Video Editor (com.vlog.star.video.editor) – 1 million downloads
    • Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads
    • Wow Beauty Camera (com.wowbeauty.camera) – 100,000 downloads
    • Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads
    • Freeglow Camera 1.0.0 (com.glow.camera.open) – 5,000 downloads
    • Coco Camera v1.1 (com.toomore.cool.camera) –1,000 downloads

    During a discussion with Ingrao, the researcher told Droid Tools that he discovered the apps in June 2021 and reported his findings to Google at the time.

    Although Google acknowledged receiving the report, it took the company six months to remove the set of six, while two malicious apps remain on the Play Store to this day.

    After so much time had passed since the initial reporting, the researcher disclosed his findings publicly.

    In place of using Webview, Autolycos uses stealthy malicious behavior to execute URLs on remote browsers and then include the results in HTTP requests.

    This behavior is intended to hide its actions from users of infected devices so that they won’t be noticed.

    When malicious apps were installed on a smartphone, they frequently asked for authorization to view SMS content, which gave them access to a victim’s SMS text messages.

    The Autolycos owners launched various social media advertising campaigns to draw in new users to the apps. Ingrao discovered 74 Facebook ad campaigns for the Razer Keyboard & Theme alone.

    Additionally, while some fraudulent apps on the Play Store received unavoidably bad reviews, some with less downloads continue to have positive user ratings thanks to fake reviews.

    Android users should have Play Protect activated, monitor background internet data and battery usage, and attempt to install the fewest number of apps possible on their handsets in order to protect themselves against these attacks.

  • Firefox fixes critical security vulnerability

    Firefox fixes critical security vulnerability

    firefox for android

    Mozilla was busy working on a revised version of Firefox for Android, which is now live in the Beta and Nightly (previously Preview) channels of the browser. If you’re still on Firefox ‘s regular stable version for Android, though, you should update right now.

    Firefox 68.10.1 is now running on the Play Store, which fixes a critical vulnerability that theoretically could allow remote web pages to read local files, including cookies from other websites:

    A Content Provider in Firefox for Android allowed local files accessible by the browser to be read by a remote webpage, leading to sensitive data disclosure, including cookies for other origins.

    There are not many public information about how the bug operates, but malicious sites won’t be able to take advantage of it until it’s widely patched, but only the classic Firefox browser will be affected. If you are using the versions Beta or Nightly / Preview, there’s nothing to worry about. Firefox browsers are also unaffected on other systems (Windows, macOS, and so forth).

    If you are using the standard Android Firefox, you certainly need to update as soon as possible. The latest version (68.10.1) is already up and running on the Play Store, but you can grab it from APKMirror as well.

    Download latest Firefox APK