APKDeepLens is a Python based tool designed to scan Android applications (APK files) for security vulnerabilities. It specifically targets the OWASP Top 10 mobile vulnerabilities, providing an easy and efficient way for developers, penetration testers, and security researchers to assess the security posture of Android apps.
APKDeepLens is a Python-based tool that performs various operations on APK files. Its main features include:
To use APKDeepLens, you'll need to have Python 3.8 or higher installed on your system. You can then install APKDeepLens using the following command:
git clone https://github.com/d78ui98/APKDeepLens/tree/main
cd /APKDeepLens
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
python APKDeepLens.py --help
git clone https://github.com/d78ui98/APKDeepLens/tree/main
cd \APKDeepLens
python3 -m venv venv
.\venv\Scripts\activate
pip install -r .\requirements.txt
python APKDeepLens.py --help
To simply scan an APK, use the below command. Mention the apk file with -apk
argument. Once the scan is complete, a detailed report will be displayed in the console.
python3 APKDeepLens.py -apk file.apk
If you've already extracted the source code and want to provide its path for a faster scan you can use the below command. Mention the source code of the android application with -source
parameter.
python3 APKDeepLens.py -apk file.apk -source <source-code-path>
To generate detailed PDF and HTML reports after the scan you can pass -report
argument as mentioned below.
python3 APKDeepLens.py -apk file.apk -report
We welcome contributions to the APKDeepLens project. If you have a feature request, bug report, or proposal, please open a new issue here.
For those interested in contributing code, please follow the standard GitHub process. We'll review your contributions as quickly as possible :)
drozer (formerly Mercury) is the leading security testing framework for Android.
drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
drozer provides tools to help you use, share and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (WithSecure's advanced exploitation payload) drozer is able to maximise the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT).
drozer is a good tool for simulating a rogue application. A penetration tester does not have to develop an app with custom code to interface with a specific content provider. Instead, drozer can be used with little to no programming experience required to show the impact of letting certain components be exported on a device.
drozer is open source software, maintained by WithSecure, and can be downloaded from: https://labs.withsecure.com/tools/drozer/
To help with making sure drozer can be run on modern systems, a Docker container was created that has a working build of Drozer. This is currently the recommended method of using Drozer on modern systems.
Note: On Windows please ensure that the path to the Python installation and the Scripts folder under the Python installation are added to the PATH environment variable.
Note: On Windows please ensure that the path to javac.exe is added to the PATH environment variable.
git clone https://github.com/WithSecureLabs/drozer.git
cd drozer
python setup.py bdist_wheel
sudo pip install dist/drozer-2.x.x-py2-none-any.whl
git clone https://github.com/WithSecureLabs/drozer.git
cd drozer
make deb
sudo dpkg -i drozer-2.x.x.deb
git clone https://github.com/WithSecureLabs/drozer.git
cd drozer
make rpm
sudo rpm -I drozer-2.x.x-1.noarch.rpm
NOTE: Windows Defender and other Antivirus software will flag drozer as malware (an exploitation tool without exploit code wouldn't be much fun!). In order to run drozer you would have to add an exception to Windows Defender and any antivirus software. Alternatively, we recommend running drozer in a Windows/Linux VM.
git clone https://github.com/WithSecureLabs/drozer.git
cd drozer
python.exe setup.py bdist_msi
Run dist/drozer-2.x.x.win-x.msi
Drozer can be installed using Android Debug Bridge (adb).
Download the latest Drozer Agent here.
$ adb install drozer-agent-2.x.x.apk
You should now have the drozer Console installed on your PC, and the Agent running on your test device. Now, you need to connect the two and you're ready to start exploring.
We will use the server embedded in the drozer Agent to do this.
If using the Android emulator, you need to set up a suitable port forward so that your PC can connect to a TCP socket opened by the Agent inside the emulator, or on the device. By default, drozer uses port 31415:
$ adb forward tcp:31415 tcp:31415
Now, launch the Agent, select the "Embedded Server" option and tap "Enable" to start the server. You should see a notification that the server has started.
Then, on your PC, connect using the drozer Console:
On Linux:
$ drozer console connect
On Windows:
> drozer.bat console connect
If using a real device, the IP address of the device on the network must be specified:
On Linux:
$ drozer console connect --server 192.168.0.10
On Windows:
> drozer.bat console connect --server 192.168.0.10
You should be presented with a drozer command prompt:
selecting f75640f67144d9a3 (unknown sdk 4.1.1)
dz>
The prompt confirms the Android ID of the device you have connected to, along with the manufacturer, model and Android software version.
You are now ready to start exploring the device.
Command | Description |
---|---|
run | Executes a drozer module |
list | Show a list of all drozer modules that can be executed in the current session. This hides modules that you do not have suitable permissions to run. |
shell | Start an interactive Linux shell on the device, in the context of the Agent process. |
cd | Mounts a particular namespace as the root of session, to avoid having to repeatedly type the full name of a module. |
clean | Remove temporary files stored by drozer on the Android device. |
contributors | Displays a list of people who have contributed to the drozer framework and modules in use on your system. |
echo | Print text to the console. |
exit | Terminate the drozer session. |
help | Display help about a particular command or module. |
load | Load a file containing drozer commands, and execute them in sequence. |
module | Find and install additional drozer modules from the Internet. |
permissions | Display a list of the permissions granted to the drozer Agent. |
set | Store a value in a variable that will be passed as an environment variable to any Linux shells spawned by drozer. |
unset | Remove a named variable that drozer passes to any Linux shells that it spawns. |
drozer is released under a 3-clause BSD License. See LICENSE for full details.
drozer is Open Source software, made great by contributions from the community.
Bug reports, feature requests, comments and questions can be submitted here.
This is a self-contained plugin for radare2 that allows to instrument remote processes using frida.
The radare project brings a complete toolchain for reverse engineering, providing well maintained functionalities and extend its features with other programming languages and tools.
Frida is a dynamic instrumentation toolkit that makes it easy to inspect and manipulate running processes by injecting your own JavaScript, and optionally also communicate with your scripts.
:.
command):db
apir_fs
api.The recommended way to install r2frida is via r2pm:
$ r2pm -ci r2frida
Binary builds that don't require compilation will be soon supported in r2pm
and r2env
. Meanwhile feel free to download the last builds from the Releases page.
In GNU/Debian you will need to install the following packages:
$ sudo apt install -y make gcc libzip-dev nodejs npm curl pkg-config git
$ git clone https://github.com/nowsecure/r2frida.git
$ cd r2frida
$ make
$ make user-install
radare2
(instead of radare2-x.y.z)preconfigure.bat
)configure.bat
and then make.bat
b\r2frida.dll
into r2 -H R2_USER_PLUGINS
For testing, use r2 frida://0
, as attaching to the pid0 in frida is a special session that runs in local. Now you can run the :?
command to get the list of commands available.
$ r2 'frida://?'
r2 frida://[action]/[link]/[device]/[target]
* action = list | apps | attach | spawn | launch
* link = local | usb | remote host:port
* device = '' | host:port | device-id
* target = pid | appname | process-name | program-in-path | abspath
Local:
* frida://? # show this help
* frida:// # list local processes
* frida://0 # attach to frida-helper (no spawn needed)
* frida:///usr/local/bin/rax2 # abspath to spawn
* frida://rax2 # same as above, considering local/bin is in PATH
* frida://spawn/$(program) # spawn a new process in the current system
* frida://attach/(target) # attach to target PID in current host
USB:
* frida://list/usb// # list processes in the first usb device
* frida://apps/usb// # list apps in the first usb device
* frida://attach/usb//12345 # attach to given pid in the first usb device
* frida://spawn/usb//appname # spawn an app in the first resolved usb device
* frida://launch/usb//appname # spawn+resume an app in the first usb device
Remote:
* frida://attach/remote/10.0.0.3:9999/558 # attach to pid 558 on tcp remote frida-server
Environment: (Use the `%` command to change the environment at runtime)
R2FRIDA_SAFE_IO=0|1 # Workaround a Frida bug on Android/thumb
R2FRIDA_DEBUG=0|1 # Used to debug argument parsing behaviour
R2FRIDA_COMPILER_DISABLE=0|1 # Disable the new frida typescript compiler (`:. foo.ts`)
R2FRIDA_AGENT_SCRIPT=[file] # path to file of the r2frida agent
$ r2 frida://0 # same as frida -p 0, connects to a local session
You can attach, spawn or launch to any program by name or pid, The following line will attach to the first process named rax2
(run rax2 -
in another terminal to test this line)
$ r2 frida://rax2 # attach to the first process named `rax2`
$ r2 frida://1234 # attach to the given pid
Using the absolute path of a binary to spawn will spawn the process:
$ r2 frida:///bin/ls
[0x00000000]> :dc # continue the execution of the target program
Also works with arguments:
$ r2 frida://"/bin/ls -al"
For USB debugging iOS/Android apps use these actions. Note that spawn
can be replaced with launch
or attach
, and the process name can be the bundleid or the PID.
$ r2 frida://spawn/usb/ # enumerate devices
$ r2 frida://spawn/usb// # enumerate apps in the first iOS device
$ r2 frida://spawn/usb//Weather # Run the weather app
These are the most frequent commands, so you must learn them and suffix it with ?
to get subcommands help.
:i # get information of the target (pid, name, home, arch, bits, ..)
.:i* # import the target process details into local r2
:? # show all the available commands
:dm # list maps. Use ':dm|head' and seek to the program base address
:iE # list the exports of the current binary (seek)
:dt fread # trace the 'fread' function
:dt-* # delete all traces
r2frida plugins run in the agent side and are registered with the r2frida.pluginRegister
API.
See the plugins/
directory for some more example plugin scripts.
[0x00000000]> cat example.js
r2frida.pluginRegister('test', function(name) {
if (name === 'test') {
return function(args) {
console.log('Hello Args From r2frida plugin', args);
return 'Things Happen';
}
}
});
[0x00000000]> :. example.js # load the plugin script
The :.
command works like the r2's .
command, but runs inside the agent.
:. a.js # run script which registers a plugin
:. # list plugins
:.-test # unload a plugin by name
:.. a.js # eternalize script (keeps running after detach)
If you are willing to install and use r2frida natively on Android via Termux, there are some caveats with the library dependencies because of some symbol resolutions. The way to make this work is by extending the LD_LIBRARY_PATH
environment to point to the system directory before the termux libdir.
$ LD_LIBRARY_PATH=/system/lib64:$LD_LIBRARY_PATH r2 frida://...
Ensure you are using a modern version of r2 (preferibly last release or git).
Run r2 -L | grep frida
to verify if the plugin is loaded, if nothing is printed use the R2_DEBUG=1
environment variable to get some debugging messages to find out the reason.
If you have problems compiling r2frida you can use r2env
or fetch the release builds from the GitHub releases page, bear in mind that only MAJOR.MINOR version must match, this is r2-5.7.6 can load any plugin compiled on any version between 5.7.0 and 5.7.8.
+---------+
| radare2 | The radare2 tool, on top of the rest
+---------+
:
+----------+
| io_frida | r2frida io plugin
+----------+
:
+---------+
| frida | Frida host APIs and logic to interact with target
+---------+
:
+-------+
| app | Target process instrumented by Frida with Javascript
+-------+
This plugin has been developed by pancake aka Sergi Alvarez (the author of radare2) for NowSecure.
I would like to thank Ole André for writing and maintaining Frida as well as being so kind to proactively fix bugs and discuss technical details on anything needed to make this union to work. Kudos
Noia is a web-based tool whose main aim is to ease the process of browsing mobile applications sandbox and directly previewing SQLite databases, images, and more. Powered by frida.re.
Please note that I'm not a programmer, but I'm probably above the median in code-savyness. Try it out, open an issue if you find any problems. PRs are welcome.
npm install -g noia
noia
Explore third-party applications files and directories. Noia shows you details including the access permissions, file type and much more.
View custom binary files. Directly preview SQLite databases, images, and more.
Search application by name.
Search files and directories by name.
Navigate to a custom directory using the ctrl+g shortcut.
Download the application files and directories for further analysis.
Basic iOS support
and more
Noia is available on npm, so just type the following command to install it and run it:
npm install -g noia
noia
Noia is powered by frida.re, thus requires Frida to run.
See: * https://frida.re/docs/android/ * https://frida.re/docs/ios/
Security Warning
This tool is not secure and may include some security vulnerabilities so make sure to isolate the webpage from potential hackers.
MIT
Remote adminitration tool for android
console git clone https://github.com/Tomiwa-Ot/moukthar.git
/var/www/html/
and install dependencies console mv moukthar/Server/* /var/www/html/ cd /var/www/html/c2-server composer install cd /var/www/html/web\ socket/ composer install
The default credentials are username: android
and password: the rastafarian in you
c2-server/.env
and web socket/.env
database.sql
console php Server/web\ socket/App.php # OR sudo mv Server/websocket.service /etc/systemd/system/ sudo systemctl daemon-reload sudo systemctl enable websocket.service sudo systemctl start websocket.service
/etc/apache2/apache2.conf
xml <Directory /var/www/html/c2-server> Options -Indexes DirectoryIndex app.php AllowOverride All Require all granted </Directory>
functionality/Utils.java
```java public static final String C2_SERVER = "http://localhost";public static final String WEB_SOCKET_SERVER = "ws://localhost:8080"; ``` - Compile APK using Android Studio and deploy to target
SMiShing, a term from ‘SMS phishing’, is a growing cyber threat that is as dangerous, if not more, than its sibling, “Phishing.” While the terms may seem comical, the repercussions of falling victim to these scams are no laughing matter. In an increasingly digital age, cybercriminals are taking advantage of our reliance on technology to steal personal information and leverage it for malicious purposes. This article provides an in-depth explanation of SMiShing, how it works, and, most importantly, how you can protect yourself from it.
In essence, SMiShing is a deceptive practice where scammers send fraudulent text messages masquerading as reputable institutions, aiming to dupe recipients into clicking on a link, calling a number, or providing sensitive personal information. The risk with SMiShing is that mobile users tend to trust their SMS messages more than their emails, making it an effective scamming tool. The best line of defense is awareness and understanding of what SMiShing is, how it operates, and the protective measures you can take against it.
The term ‘SMiShing’ is a concatenation of ‘SMS’ (short message service) and ‘Phishing’. The latter is a cybercriminal strategy, where scammers send emails that impersonate legitimate organizations with the aim of luring victims into clicking links and/or entering their login data or credentials. The word ‘Phishing’ is a play on the word ‘fishing’, depicting the tactic of baiting victims and fishing for their personal information.
SMiShing is a variant of phishing, a social engineering tactic where scammers resort to sending text messages instead of emails. These messages are engineered to appear as though they’ve been sent by legitimate, trusted organizations, leading the recipient to either click on a link or respond with their personal details. The transition from emails to text messages signals a shift in cybercrime trends, as scammers exploit the trust users place in their text messages, as opposed to their scrutiny of emails.
→ Dig Deeper: What Is Smishing and Vishing, and How Do You Protect Yourself?
Cybercriminals use sophisticated technology that allows them to generate cell phone numbers based on area codes. These phone numbers include a cell carrier’s provided extension, plus the last four random numbers. Once these phone numbers are generated, the scammers utilize mass text messaging services to disseminate their SMiShing bait, much like casting a large fishing net hoping to snare unsuspecting victims. A simple online search for “mass SMS software” will yield numerous free and low-cost programs that facilitate mass texting, revealing the ease with which these scams can be carried out.
→ Dig Deeper: What You Need to Know About the FedEx SMiShing Scam
SMiShing has proven to be effective mainly because most people have been conditioned to trust text messages more than emails. Moreover, unlike emails accessed on a PC, text messages do not allow for easy link previewing, making it risky to click on links embedded within the texts. The links either lead to malicious websites intended to steal data or prompt the download of keyloggers, tools that record every keystroke on your device, facilitating the theft of personal information. Alternatively, some SMiShing texts may trick recipients into calling specific numbers which, when dialed, incur hefty charges on the victim’s phone bill.
The first step towards protecting yourself against SMiShing is recognizing the threat. Cybercriminals often capitalize on the victim’s lack of understanding about how these scams work. They prey on the recipient’s trust in their text messages and their curiosity to view links sent via SMS. By understanding how SMiShing works, you are able to spot potential scams and protect yourself against them.
Typically, SMiShing messages are crafted to impersonate familiar, reputable organizations such as banks, utility companies, or even government institutions. They often induce a sense of urgency, pushing the recipient to act swiftly, leaving little to no time for scrutiny. The messages may alert you of suspicious activity on your account, a pending bill, or offer incredible deals that seem too good to be true. Any SMS message that prompts you to click on a link, call a certain number, or provide personal information should be treated with suspicion.
More often than not, recognizing an SMiShing scam relies on your observational skills and your ability to spot the tell-tale signs. One common red flag is poor grammar and spelling. Although this is not always the case, several SMiShing scams tend to have mistakes that professional communications from reputable institutions would not.
Another sign is that the message is unsolicited. If you didn’t initiate contact or expect a message from the supposed sender, you should treat it with suspicion. Additionally, reputable organizations usually employ a secure method of communication when dealing with sensitive information; they would rarely, if ever, ask for personal data via SMS.
Pay attention to the phone number. A text from a legitimate institution usually comes from a short code number, not a regular ten-digit phone number. Also, check whether the message uses a generic greeting instead of your name. Finally, use your common sense. If an offer seems too good to be true, it probably is. Also, remember that verifying the legitimacy of the text message with the supposed sender can never harm.
Many of these signs can be subtle and easy to overlook. However, staying vigilant and taking the time to scrutinize unusual text messages can save you from falling victim to SMiShing.
→ Dig Deeper: How to Squash the Android/TimpDoor SMiShing Scam
Psychological Manipulation is a critical aspect of this cyber threat, involving the art of exploiting human psychology and trust to trick individuals into revealing sensitive information or engaging in harmful actions. Even individuals with the intelligence to steer clear of scams might become vulnerable if the psychological manipulation is exceptionally compelling.
Smishing attackers employ a range of social engineering techniques that tap into human emotions, including fear, curiosity, and urgency. They often impersonate trusted entities or use personalized information to lower recipients’ guard and establish trust. The use of emotional manipulation and emotional triggers, such as excitement or outrage, further intensifies the impact of these attacks. Recognizing and understanding these psychological tactics is paramount for individuals and organizations in fortifying their defenses against smishing, empowering them to identify and resist such manipulative attempts effectively.
→ Dig Deeper: Social Engineering—The Scammer’s Secret Weapon
Arming yourself with knowledge about SMiShing and its modus operandi is the initial line of defense. Once you comprehend the nature of this scam, you are better equipped to identify it. However, understanding alone is not enough. There are several practical measures that you can adopt to safeguard your personal information from SMiShing scams.
At the top of this list is exercising caution with text messages, especially those from unknown sources. Resist the impulse to click on links embedded within these texts. These links often lead to malicious websites engineered to steal your data or trigger the download of harmful software like keyloggers. Do not respond to text messages that solicit personal information. Even if the message seems to originate from a trusted entity, it is always better to verify through other means before responding.
Furthermore, be wary of text messages that create a sense of urgency or evoke fear. SMiShers often manipulate emotions to spur immediate action, bypassing logical scrutiny. For instance, you may receive a message supposedly from your bank alerting you about a security breach or unauthorized transaction. Instead of panicking and clicking on the provided link, take a moment to contact your bank through their officially listed number for clarification.
There is also the option of using comprehensive mobile security applications. These apps provide an array of features such as text message filtering, antivirus, web protection, and anti-theft measures. Applications like McAfee Mobile Security can significantly enhance your defense against SMiShing attacks and other cyber threats.
McAfee Pro Tip: Try McAfee Mobile Security’s scam protection. It scans the URLs within your text messages to enhance your online safety. If a suspicious or scam link is detected, it will send an alert on Android devices or automatically filter out the problematic text. Additionally, it actively blocks potentially harmful links in emails, text messages, and social media if you happen to click on them by mistake, adding an extra layer of protection to your online experience.
SMiShing is a serious cyber threat that aims to exploit the trust that individuals place in their text messages. By impersonating reputable organizations and creating a sense of urgency, scammers try to trick recipients into providing personal information or clicking on malicious links. Protecting oneself from SMiShing involves understanding what it is, recognizing the threat, and adopting effective protective measures. These include being cautious of unsolicited text messages, refraining from clicking on links within these texts, and using comprehensive mobile security applications. Additionally, being aware of the red flags, such as poor grammar, unsolicited messages, and requests for sensitive information via SMS, can help in detecting potential scams. In an increasingly digital age, staying vigilant and proactive is the best way to protect your personal information from cybercriminals.
The post Understanding and Protecting Yourself from SMiShing appeared first on McAfee Blog.
In today’s digital era, smartphones and tablets are quickly becoming essentials for everybody. However, despite their increasing popularity, many people fail to take adequate security precautions with their mobile devices. Statistics show that roughly 75% of Americans do not use mobile security software. Moreover, approximately 36% of users do not have a basic PIN to secure their mobile devices. Therefore, it becomes imperative to understand the risks and take necessary precautions, particularly for Android users.
Android has, over time, become a popular target for hackers. Recently, McAfee Labs™ found that all new forms of malicious mobile software were solely designed to exploit vulnerabilities in the Android operating system. Multiple factors contribute to this increase in mobile malware. One of the major reasons is the exponential growth of the Android platform, which currently holds the largest share of the mobile marketplace. Naturally, cybercriminals are drawn to the size and potential for exploitation in the Android space.
Malicious mobile activity, particularly on Android devices, is generally driven by bad apps. These rogue applications come with a myriad of risks. They can access your contacts, sending them unwanted emails. They can track and record everything you do on your mobile device, leading to severe consequences such as data theft, keylogging, and unauthorized access to sensitive information like banking credentials. They may even hijack your device or distribute personal content without consent, posing emotional and reputational damage.
In addition to individual risks, mobile malware can serve broader purposes, including espionage and geopolitical motives, often orchestrated by nation-states or hacktivist groups. These advanced persistent threats (APTs) may target specific individuals, organizations, or regions, posing significant damage potential. To protect against these advanced threats and prevent the proliferation of mobile malware, proactive cybersecurity measures, awareness, and safe online practices are indispensable.
→ Dig Deeper: 4 Mobile Malware Threats You Can’t Even See
While the extent of smartphone malware is currently less severe compared to desktop or laptop PCs, awareness of its existence can go a long way toward ensuring your data’s security. There are a few simple steps you can take to protect yourself and your data:
Begin by using a PIN to lock your device. Just as you would be cautious with your computer, always think twice before clicking on links, especially from unfamiliar sources. Ensure that you have web protection software installed which can help keep you from visiting malicious sites. When looking to download apps, remember to do your research. Reading the ratings and reviews can give you a good idea about the app’s credibility. Only download apps from well-known, reputable app stores to minimize the possibility of downloading a malicious app.
→ Dig Deeper: How Safe Is Your Android PIN Code?
During the app installation process, ensure you review what permissions the app is requesting on your device. Consider using an app protection feature that alerts you if an app is accessing data it does not require. Lastly, consider installing a comprehensive mobile security solution like McAfee Mobile Security. This type of software generally includes anti-malware, web protection, anti-theft, and app protection features.
App permissions play a crucial role in this process. Android developers have the liberty to choose from over 150 different permissions that an app can access on your mobile device. Examples include turning on your camera to record images or videos, accessing all your contacts, and even accessing your IMEI code (a unique identifier for your mobile device). Therefore, it’s crucial to understand why an app needs to access specific information to prevent it from sending your personal information to potentially malicious entities.
With each download, apps request permission to access certain functionalities on your device. Unfortunately, these permissions can sometimes be used to compromise your personal data. For instance, an app might ask for access to your device’s camera, microphone, or location. While these permissions might seem harmless at face value, they can be exploited. Cybercriminals can potentially use these permissions to steal sensitive information or even engage in surveillance activities. That’s why it’s critical to cross-verify each permission an app requests and deny any that seem unnecessary.
For those unsure, consider asking the following questions: Why does this app need access to my contacts, SMS, or location? Is this access necessary for the functionality of the app? If you’re unsure, look up the app on online forums or ask for advice from trusted sources. Remember, it’s always better to be safe than sorry.
McAfee Pro Tip: Be careful when downloading third-party apps. Developers of third-party apps are not under the control of the OS owners and official application stores like App Store and Google Play, so they can have lower security levels. This enables advertisers and hackers to insert malicious codes within the app. Know more about third-party apps and how to check app authenticity.
Another crucial measure to protect your Android device is to keep it updated. Software updates not only introduce new features but also fix potential security flaws. Hackers often exploit these security flaws to infiltrate your device, making updates a crucial part of your security toolkit. Regularly check for updates and install them as soon as they are available.
Google frequently releases monthly security patches for Android. These patches address various security vulnerabilities that have been discovered in the Android operating system. However, the responsibility for pushing these updates to individual devices lies with the device manufacturers and carriers. Ensure that you are aware of your device’s update cycle and prioritize installing these updates.
→ Dig Deeper: Why Software Updates Are So Important
Your Android device serves as a repository for a wealth of personal and sensitive information. As we continue to incorporate these devices into our daily lives, the need for stringent security measures has never been more urgent. While the world of mobile security might seem daunting, the right knowledge and a few preventive measures can help you avoid the majority of potential threats.
Start by locking your device with a PIN, be cautious about the links you click on, verify app permissions, ensure you download apps from a trusted source, and keep your device updated. Remember, your digital security is in your hands. Equip yourself with the necessary tools and awareness to navigate the online world safely. Lastly, consider investing in a comprehensive mobile security solution like McAfee Mobile Security to fortify your defenses against potential cyber threats.
The post Understanding the Risks of Using an Android Device appeared first on McAfee Blog.
In the ever-growing digital age, our mobile devices contain an alarming amount of personal, sensitive data. From emails, social media accounts, banking applications to payment apps, our personal and financial lives are increasingly entwined with the convenience of online, mobile platforms. However, despite the increasing threat to cyber security, it appears many of us are complacent about protecting our mobile devices.
Survey revealed that many mobile users still use easy-to-remember and easy-to-guess passwords. With such an increasing dependence on mobile devices to handle our daily tasks, it seems unimaginable that many of us leave our important personal data unguarded. Theft or loss of an unsecured mobile device can, and often does, result in a catastrophic loss of privacy and financial security.
The unfortunate reality of our digital era is that devices are lost, misplaced, or stolen every day. A mobile device without password protection is a gold mine for anyone with malicious intent. According to a global survey by McAfee and One Poll, many consumers are largely unconcerned about the security of their personal data stored on mobile devices. To illustrate, only one in five respondents had backed up data on their tablet or smartphone. Even more concerning, 15% admitted they saved password information on their phone.
Such statistics are troubling for several reasons. The most obvious is the risk of personal information —including banking details and online login credentials— falling into the wrong hands. A lost or stolen device is not just a device lost— it’s potentially an identity, a bank account, or worse. The lack of urgency in securing data on mobile devices speaks to a broad consumer misunderstanding about the severity of the threats posed by cybercriminals and the ease with which they can exploit an unprotected device.
→ Dig Deeper: McAfee 2023 Consumer Mobile Threat Report
Perhaps one of the most surprising findings of the survey is the difference in mobile security behaviors between men and women. This difference illustrates not just a disparity in the type of personal information each group holds dear, but also the degree of risk each is willing to accept with their mobile devices.
Broadly speaking, men tend to place greater value on the content stored on their devices, such as photos, videos, and contact lists. Women, on the other hand, appear more concerned about the potential loss of access to social media accounts and personal communication tools like email. They are statistically more likely to experience online harassment and privacy breaches. This could explain why they are more concerned about the security of their social media accounts, as maintaining control over their online presence can be a way to protect against harassment and maintain a sense of safety.
The loss of a mobile device, which for many individuals has become an extension of their social identity, can disrupt daily life significantly. This distinction illustrates that the consequences of lost or stolen mobile devices are not just financial, but social and emotional as well.
Despite the differences in what we value on our mobile devices, the survey showed a worrying level of risky behavior from both genders. Over half (55%) of respondents admitted sharing their passwords or PIN with others, including their children. This behavior not only leaves devices and data at risk of unauthorized access but also contributes to a wider culture of complacency around mobile security.
Password protection offers a fundamental layer of security for devices, yet many people still choose convenience over safety. Setting a password or PIN isn’t a failsafe method for keeping your data safe. However, it is a simple and effective starting point in the broader effort to protect our digital lives.
→ Dig Deeper: Put a PIN on It: Securing Your Mobile Devices
While the survey results raise an alarm, the good news is that we can turn things around. It all begins with acknowledging the risks of leaving our mobile devices unprotected. There are simple steps that can be taken to ramp up the security of your devices and protect your personal information.
First and foremost, password-protect all your devices. This means going beyond your mobile phone to include tablets and any other portable, internet-capable devices you may use. And, while setting a password, avoid easy ones like “1234” or “1111”. These are the first combinations a hacker will try. The more complex your password is, the sturdier a barrier it forms against unauthorized access.
Another important step is to avoid using the “remember me” function on your apps or mobile web browser. Although it might seem convenient to stay logged into your accounts for quick access, this considerably amplifies the risk if your device gets stolen or lost. It’s crucial to ensure you log out of your accounts whenever not in use. This includes email, social media, banking, payment apps, and any other accounts linked to sensitive information.
McAfee Pro Tip: If your phone is lost or stolen, employing a combination of tracking your device, locking it remotely, and erasing its data can safeguard both your phone and the information it contains. Learn more tips on how to protect your mobile device from loss and theft.
Sharing your PIN or password is also a risky behavior that should be discouraged. Admittedly, this might be challenging to implement, especially with family members or close friends. But the potential harm it can prevent in the long run far outweighs the temporary convenience it might present.
Having highlighted the importance of individual action towards secure mobile practices, it’s worth noting that investing in reliable security software can also make a world of difference. A mobile security product like McAfee Mobile Security, which offers anti-malware, web protection, and app protection, can provide a crucial extra layer of defense.
With app protection, not only are you alerted if your apps are accessing information on your mobile that they shouldn’t, but in the event that someone does unlock your device, your personal information remains safe by locking some or all of your apps. This means that even if your device falls into the wrong hands, they still won’t be able to access your crucial information.
It’s also critical to stay educated on the latest ways to protect your mobile device. Cyber threats evolve constantly, and awareness is your first line of defense. McAfee has designed a comprehensive approach to make the process of learning about mobile security not just informative but also engaging. Our array of resources includes a rich repository of blogs, insightful reports, and informative guides. These materials are meticulously crafted to provide users with a wealth of knowledge on how to protect their mobile devices, ensuring that the learning experience is not only informative but also engaging and enjoyable.
While the current state of mobile device security may seem concerning, it’s far from hopeless. By incorporating simple security practices such as setting complex passwords and avoiding shared access, we can significantly reduce the risk of unauthorized data access. Additionally, investing in trusted mobile security products like McAfee Mobile Security can provide a robust defense against advancing cyber threats. Remember, our digital lives mirror our real lives – just as we lock and secure our homes, so too must we protect our mobile devices.
The post How to Protect Your Mobile Device From Loss and Theft appeared first on McAfee Blog.
Digital technology has dramatically impacted our lives, making it easier and more convenient in many ways. With the use of smartphones, we perform a myriad of activities daily, from making phone calls and sending messages to shopping online and managing bank accounts. While these activities bring convenience, they also expose users to various security threats. Your Android PIN code is a critical aspect that protects your phone data from unauthorized access. But how safe is this four-digit code? This article aims to demystify this question and offers a comprehensive guide on the safety of Android PIN codes.
A Personal Identification Number (PIN) is a security code used to protect your mobile device from unauthorized access. It is usually a 4-digit number, though some devices allow longer PINs. When you set up a PIN, the device encrypts data and can only be accessed by entering the correct PIN. The idea behind the PIN is that it is easy for you to remember but difficult for others to guess. But is this method of protecting your data foolproof?
The first line of defense for your smartphone is a simple PIN code. Many users choose easy-to-remember combinations such as “1234” or “1111.” However, these are easily guessable and thus not very secure. Furthermore, a determined thief could try all 10,000 possible four-digit combinations until they hit the right one. This process could be done manually, but it has been demonstrated that it could also be automated with a device like the R2B2 robot, which can try all combinations in less than 24 hours.
The R2B2, or Robotic Reconfigurable Button Basher, is a small robot designed with a single, solitary function: to crack any Android four-digit locking code. Justin Engler, a security engineer at iSEC , created itPartners. The R2B2 uses a ‘brute force’ method of entering all 10,000 possible combinations of four-digit passcodes until it finds the right one. It doesn’t use specialized software or malware; it simply inputs combinations until it gets the right one.
Although the chances of your phone falling into the clutches of an R2B2 are slim, such technology raises concerns about the security of a four-digit PIN. If a simple robot can crack the code in less than a day, it questions the efficacy of a four-digit passcode in protecting your mobile data. This emphasizes the need for more robust, more secure forms of password protection.
→ Dig Deeper: Put a PIN on It: Securing Your Mobile Devices
Even though a four-digit PIN remains one of the most common forms of mobile security, it may not necessarily be the most secure. For times when a PIN code does not offer sufficient protection, alternative security measures can step in. Advanced Android users can access a wide range of security features beyond the conventional four-digit PIN, including patterns, passwords, and biometrics.
→ Dig Deeper: 5 Tips For Creating Bulletproof Passwords
→ Dig Deeper: MasterCard Wants to Verify by Selfies and Fingerprints! The Ripple Effects of Biometric Data?
Beyond passcodes and biometrics, there are a range of additional security measures that can be implemented to protect your phone:
McAfee Pro Tip: Refrain from sharing your PIN codes and passwords with anyone. Use a reputable password manager to efficiently and securely manage your collection of passwords and passcodes.
While the advent of technology like R2B2 does raise concerns about the sufficiency of a four-digit PIN, this is only part of the story. The landscape of mobile security is variable and complex, and it’s essential to stay vigilant. By using a mix of solid passcodes (or alternative forms of security like biometrics), implementing additional security measures, and regularly updating and reviewing your security settings, you can significantly enhance the security of your Android device. After all, one’s mobile device often holds a wealth of personal information, making its protection a high priority in our increasingly digital world.
The post How Safe Is Your Android PIN Code? appeared first on McAfee Blog.
In the age of digital data and Internet access, the potential for scams is more significant than ever. These scams often involve leveraging popular search queries to trap unsuspecting netizens into their malicious schemes. Among the top searches in the online world, celebrities hold a prime spot. Through this guide, we aim to shed light on how scammers take advantage of the global fascination with celebrities to target their potential victims.
As digital users, most of us are likely well-acquainted with the phrase “Just Google it.” The search engine has become a go-to source for any information ranging from essential daily needs to entertainment gossip. But it’s crucial to remember that while you’re in pursuit of data, scammers are in search of their next victim.
Scammers have significantly evolved with the advancement of technology. They’ve mastered the art of creating fake or infected websites that can harm your computer systems, extract your financial information, or even steal your identity. Their strategies often include luring victims through popular searches, such as the latest Twitter trends, breaking news stories, major world events, downloads, or even celebrity images and gossip. The higher the popularity of the search, the greater the risk of encountering harmful results.
McAfee has conducted research for six consecutive years on popular celebrities to reveal which ones are riskiest to search for online. For instance, Emma Watson outplaced Heidi Klum as the most dangerous celebrity to look up online. Interestingly, it was the first year that the top 10 list comprised solely of women. Cybercriminals commonly exploit the names of such popular celebrities to lead users to websites loaded with malicious software, consequently turning an innocent search for videos or pictures into a malware-infected nightmare.
→ Dig Deeper: Emma Watson Video Scam: Hackers Use Celeb’s Popularity to Unleash Viruses
Scammers are well aware of the allure the word “free” holds for most Internet users. They cleverly exploit this to get your attention and draw you into their traps. For instance, when you search for “Beyonce” or “Taylor Swift” followed by prompts like “free downloads”, “Beyonce concert photos”, or “Taylor Swift leaked songs”, you expose yourself to potential online threats aiming to steal your personal information. It’s always prudent to maintain a healthy level of skepticism when encountering offers that seem too good to be true, especially those labeled as “free.”
While the internet can be a dangerous playground, it doesn’t mean that you cannot protect yourself effectively. Using common sense, double-checking URLs, utilizing safe search plugins, and having comprehensive security software are some strategies to help ensure your online safety. This guide aims to provide you with insights and tools to navigate the online world without falling prey to its many hidden dangers.
Truth be told, the responsibility for online safety lies primarily with the user. Just as you would not walk into any shady-looking place in real life, it requires a similar instinct to avoid shady sites while browsing online. One important piece of advice – if something appears too good to be true, in all probability, it is. So, take note of these practical tips to help you guard against celebrity scams and other online threats:
→ Dig Deeper: How to Tell Whether a Website Is Safe or Unsafe
→ Dig Deeper: The Big Reason Why You Should Update Your Browser (and How to Do It)
Having comprehensive security software installed on your devices is another crucial step towards preventing scams. Good antivirus software can protect against the latest threats, alert you about unsafe websites, and even detect phishing attempts. Furthermore, always keep your security software and all other software updated. Cybercriminals are known to exploit vulnerabilities in outdated software to infiltrate your devices and steal your data.
Apart from ensuring you have security software, be cautious about what you download on your devices. Trojans, viruses, and malware are often hidden in downloadable files, especially in sites that offer ‘free’ content. Cybercriminals tempting users to download infected files often use popular celebrity names. Therefore, download wisely and from reputed sources.
McAfee Pro Tip: Before committing to a comprehensive security plan, it’s crucial to evaluate your security protection and analyze your requirements. This proactive stance forms the bedrock for crafting strong cybersecurity measures that cater precisely to your unique needs and potential vulnerabilities. For more information about our acclaimed security solutions, explore our range of products.
In the digital world, where information and entertainment are available at our fingertips, it’s crucial to remain vigilant against scams, especially those involving celebrities. By exercising prudent online practices like scrutinizing URLs, using safe search plugins, and installing comprehensive security software, we can significantly reduce our risk of falling prey to these scams.
It’s imperative to understand that the popularity of a search term or trend is directly proportional to the risk it carries. So next time, before you search for your favorite celebrity, remember, the more famous the celebrity, the greater the risk. Together with McAfee, let’s promote safer browsing practices and contribute to a safer online community for all.
The post Celebrities Are Lures For Scammers appeared first on McAfee Blog.
Beyonce sang “if you like it you better put a ring on it” but the same can be said for our personal information on our mobiles. But rather than a ring, the lyric would be “If you like it, you better put a PIN on it.” A PIN, or Personal Identification Number, is your first defense against thieves or hackers who might want to access your private data from your smartphone or tablet.
As we increasingly depend on our digital devices to store and transfer personal data and use the internet for transactions, we are also becoming increasingly vulnerable to digital attacks on our privacy. Having a PIN on your devices is a simple but effective way to add an extra layer of security. Yet, it is reported that half of iPhone users, for instance, don’t use a lock on their devices. In another study, a nationwide survey by Consumer Reports in 2014 found that 30% of people don’t have a PIN or passcode on their smartphones or tablets. This is concerning because by not securing their devices, they are exposing themselves to potential threats of financial fraud, identity theft, and privacy loss.
Your device and its private data are invaluable resources for any potential hacker or data thief. Yet, we often do not protect our smartphones or tablets, the sensitive information they contain, or our wallets or home computers. Every day should be Data Privacy Day, a time to stress the importance of taking privacy seriously and review your privacy settings and practices.
→ Dig Deeper: What is Data Privacy and How Can I Safeguard It?
By not protecting your mobile devices, you are potentially opening yourself up to financial fraud, identity theft, and overall invasion of your privacy. The data available on your phone, from personal photos and conversations to banking information and private documents, can be a goldmine for any potential attacker. This is why companies like McAfee are announcing new pushes for personal security, such as the “Crack the Pin” initiative. This encourages people to take simple steps toward preserving their privacy by locking, tracking, and encrypting their devices.
From fortifying your online accounts with robust passwords to understanding the intricacies of encryption, and from practicing discretion in sharing personal information to recognizing the red flags of phishing attempts, let’s explore a comprehensive set of strategies and practices to help you navigate the digital world with confidence and protect what matters most—your privacy.
One way to ensure the privacy of your mobile devices is through the use of mobile security products. McAfee, for example, has products such as McAfee Mobile Security and McAfee LiveSafe that are designed specifically to protect your devices and the personal data stored on them. These products provide a wide range of security features, from data encryption to anti-theft measures and privacy protection. They can scan apps for potential threats, prevent phishing attacks, and allow you to locate, lock, and wipe your devices in case they get lost or stolen.
→ Dig Deeper: Does My Phone Have a Virus?
Beyond using security products, staying educated on the latest data privacy trends and security measures is also important. This includes keeping your operating system and apps updated, as software updates often contain vital security improvements. Regularly backing up your data is also crucial so that your personal data is not completely lost in the event of a device loss or failure.
Another important aspect of securing your mobile devices is encryption. Encryption is a process that converts your data into an unreadable format that cannot be understood without the correct decryption key. Essentially, even if a hacker or thief manages to access your device, they cannot read your data if it is encrypted. Many smartphones and tablets have encryption options built into the settings, but it’s up to the user to ensure they turn it on and use it correctly.
When it comes to encryption, it’s also crucial to understand the difference between device encryption and app encryption. Device encryption ensures that all data stored on your device is secure, while app encryption secures data within specific apps. While both are important, device encryption is generally considered more comprehensive. However, you should still check the privacy settings in individual apps to ensure your data is protected.
McAfee Pro Tip: When engaging in activities like online banking, shopping, or signing up on a website that requests your personal details, be sure to check for a website address that commences with “https:” rather than just “http:”. This signifies that the site employs encryption for added security. Learn more about encryption here.
In conclusion, securing your mobile devices and their precious personal data should be a top priority. The first step is to put a PIN on your devices and ensure it’s not easily guessable. Other important steps include refraining from sharing your PIN, using security products, staying updated on the latest privacy trends, and employing encryption for comprehensive security. Remember, data privacy is not a one-time event, but a continuous process that requires regular attention and action. So let’s take a page from Beyonce’s book and “put a PIN on it” to keep our private data safe and secure.
The post Put a PIN on It: Securing Your Mobile Devices appeared first on McAfee Blog.
One of the essential aspects of digital security resides in the strength of our passwords. While they are the most convenient and effective way to restrict access to our personal and financial information, the illusion of a fully secure password does not exist. The reality is that we speak in terms of less or more secure passwords. From a practical perspective, we must understand the behind-the-scenes actions that could potentially compromise our passwords and consequently, our digital lives.
Unfortunately, most users frequently overlook this crucial part of their digital existence. They remain largely ignorant of numerous common techniques that hackers employ to crack passwords, leading to the potential loss of personal details, financial information, or even identity theft. Therefore, this blog aims to enlighten readers on how they might be unknowingly making their passwords vulnerable.
Passwords serve as the first line of defense against unauthorized access to our online accounts, be it email, social media, banking, or other sensitive platforms. However, the unfortunate reality is that not all passwords are created equal, and many individuals and organizations fall victim to password breaches due to weak or compromised credentials. Let’s explore the common techniques for cracking passwords, and learn how to stay one step ahead in the ongoing battle for online security.
In the world of cyber-attacks, dictionary attacks are common. This approach relies on using software that plugs common words into the password fields in an attempt to break in. It’s an unfortunate fact that free online tools exist to make this task almost effortless for cybercriminals. This method spells doom for passwords that are based on dictionary words, common misspellings, slang terms, or even words spelled backward. Likewise, using consecutive keyboard combinations such as qwerty or asdfg is equally risky. An excellent practice to deflect this attack is to use unique character combinations that make dictionary attacks futile.
Besides text-based passwords, these attacks also target numeric passcodes. When over 32 million passwords were exposed in a breach, nearly 1% of the victims used ‘123456’ as their password. Close on its heels, ‘12345’ was the next most popular choice, followed by similar simple combinations. The best prevention against such attacks is avoiding predictable and simple passwords.
→ Dig Deeper: Cracking Passwords is as Easy as “123”
While security questions help in password recovery, they also present a potential vulnerability. When you forget your password and click on the ‘Forgot Password’ link, the website generally poses a series of questions to verify your identity. The issue here is that many people use easily traceable personal information such as names of partners, children, other family members, or pets as their answers, some of which can be found on social media profiles with little effort. To sidestep this vulnerability, it’s best not to use easily accessible personal information as the answer to security questions.
McAfee Pro Tip: Exercise caution when sharing content on social media platforms. Avoid making all your personal information publicly accessible to thwart hackers from gathering sensitive details about you. Learn more about the dangers of oversharing on social media here.
A common mistake that many internet users make is reusing the same password for multiple accounts. This practice is dangerous as if one data breach compromises your password, the hackers can potentially gain access to other websites using the same login credentials. According to a report published by LastPass in 2022, a recent breach revealed a shocking password reuse rate of 31% among its victims. Hence, using unique passwords for each of your accounts significantly reduces the risk associated with password reuse.
Moreover, it’s also advisable to keep changing your passwords regularly. While this might seem like a hassle, it is a small price to pay for ensuring your digital security. Using a password manager can help you remember and manage different passwords for different websites.
Social Engineering is a non-technical strategy that cybercriminals use, which relies heavily on human interaction and psychological manipulation to trick people into breaking standard security procedures. They lure their unsuspecting victims into revealing confidential data, especially passwords. Therefore, vigilance and skepticism are invaluable weapons to have in your arsenal to ward off such attacks.
The first step here would be not to divulge your password to anyone, no matter how trustworthy they seem. You should also be wary of unsolicited calls or emails asking for your sensitive information. Remember, legitimate companies will never ask for your password through an email or a phone call.
Despite the vulnerabilities attached to passwords, much can be done to enhance their security. For starters, creating a strong password is the first line of defense. To achieve this, you need to use a combination of uppercase and lowercase letters, numbers, and symbols. Making the password long, at least 12 to 15 characters, significantly improves its strength. It’s also advisable to avoid using common phrases or strings of common words as passwords- they can be cracked through advanced versions of dictionary attacks.
In addition to creating a strong password, adopting multi-factor authentication can greatly enhance your account security. This technology requires more than one form of evidence to verify your identity. It combines something you know (your password), something you have (like a device), and something you are (like your fingerprint). This makes it more difficult for an attacker to gain access even if they have your password.
→ Dig Deeper: 15 Tips To Better Password Security
The future of passwords looks promising. Scientists and tech giants are working relentlessly to develop stronger and more efficient access control tools. Biometrics, dynamic-based biometrics, image-based access, and hardware security tokens are some of the emerging technologies promising to future-proof digital security. With biometrics, users will no longer need to remember complex passwords as access will be based on unique personal features such as fingerprints or facial recognition.
Another promising direction is the use of hardware security tokens, which contain digital certificates to authenticate the user. These tokens can be used in combination with a password to provide two-factor authentication. This makes it more difficult for an attacker to gain access as they would need both your token and your password. While these technologies are still developing, they suggest a future where access control is more secure and user-friendly.
In conclusion, while there’s no such thing as a perfectly secure password, much can be done to enhance their security. Understanding the common techniques for cracking passwords, such as dictionary attacks and security questions’ exploitation, is the first step towards creating more secure passwords. Using unique complex passwords, combined with multi-factor authentication and software tools like McAfee’s True Key, can greatly improve the security of your accounts.
The future of passwords looks promising with the development of biometrics and hardware security tokens. Until then, it’s crucial to adopt the best password practices available to protect your digital life. Remember, your online security is highly dependent on the strength and uniqueness of your passwords, so keep them complex, unique, and secure.
The post What Makes My Passwords Vulnerable? appeared first on McAfee Blog.
Apepe is a Python tool developed to help pentesters and red teamers to easily get information from the target app. This tool will extract basic informations as the package name, if the app is signed and the development language...
A quick guide of how to install and use Apepe.
1. git clone https://github.com/oppsec/Apepe.git
2. pip install -r requirements.txt
3. python3 main -f <apk-file.apk>
A quick guide of how to contribute with the project.
1. Create a fork from Apepe repository
2. Download the project with git clone https://github.com/your/Apepe.git
3. cd Apepe/
4. Make your changes
5. Commit and make a git push
6. Open a pull request