Mar 22, 2024NewsroomPrivacy / Encryption

The U.S. Department of Justice (DoJ), along with 16 other state and district attorneys general, on Thursday accused Apple of illegally maintaining a monopoly over smartphones, thereby undermining, among others, security and privacy of users when messaging non-iPhone users.

“Apple wraps itself in a cloak of privacy, security, and consumer preferences to justify its anticompetitive conduct,” the landmark antitrust lawsuit said. “Apple deploys privacy and security justifications as an elastic shield that can stretch or contract to serve Apple’s financial and business interests.”

“Apple selectively compromises privacy and security interests when doing so is in Apple’s own financial interest – such as degrading the security of text messages, offering governments and certain companies the chance to access more private and secure versions of app stores, or accepting billions of dollars each year for choosing Google as its default search engine when more private options are available.”

The sprawling complaint also alleged that iPhone users who message a non-iPhone user via the Messages app are defaulted to the less secure SMS format (as opposed to iMessage) that lacks support for encryption and offers limited functionality. On the other hand, iMessage is end-to-end encrypted (E2EE) and is even quantum-resistant.

It’s worth noting at this stage that iMessage is only available on the iPhone and other Apple devices. Apple has repeatedly said it has no plans of making iMessage interoperable with Android, even stating that doing so will “will hurt us more than help us.”

Furthermore, the 88-page lawsuit called out the iPhone maker for blocking attempts by third-parties to bring secure cross-platform messaging experience between iOS and Android platform.

In December 2023, Beeper managed to reverse engineer the iMessage protocol and port the service to Android through a dedicated client called Beeper Mini. Apple, however, has shut down those efforts, arguing that Beeper “posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks.”

These limitations have a powerful network effect, driving consumers to continue buying iPhones and less likely to switch to a competing device, the DoJ said, adding, “by rejecting solutions that would allow for cross-platform encryption, Apple continues to make iPhone users’ less secure than they could otherwise be.”

The development comes as Apple is facing more scrutiny than ever to open up its tightly-controlled software ecosystem — the so-called “walled garden” — which regulators say locks in customers and developers. Other major tech giants like Microsoft, Google, Amazon, and Meta have all dealt with similar lawsuits in recent years.

Apple, in a surprise move late last year, announced that it intends to add support for Communication Services (RCS) – an upgraded version of the SMS standard with modern instant messaging features – to its Messages app. It also said it will work with the GSMA members to integrate encryption.

In response to the lawsuit, Cupertino said it will “vigorously defend” itself and that the lawsuit “threatens who we are and the principles that set Apple products apart in fiercely competitive markets.” It also said that DoJ winning the lawsuit would “set a dangerous precedent, empowering the government to take a heavy hand in designing people’s technology.”

Jan 26, 2024NewsroomMalvertising / Phishing-as-a-service

Chinese-speaking users have been targeted by malicious Google ads for restricted messaging apps like Telegram as part of an ongoing malvertising campaign.

“The threat actor is abusing Google advertiser accounts to create malicious ads and pointing them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead,” Malwarebytes’ Jérôme Segura said in a Thursday report. “Such programs give an attacker full control of a victim’s machine and the ability to drop additional malware.”

It’s worth noting that the activity, codenamed FakeAPP, is a continuation of a prior attack wave that targeted Hong Kong users searching for messaging apps like WhatsApp and Telegram on search engines in late October 2023.

The latest iteration of the campaign also adds messaging app LINE to the list of messaging apps, redirecting users to bogus websites hosted on Google Docs or Google Sites.

The Google infrastructure is used to embed links to other sites under the threat actor’s control in order to deliver the malicious installer files that ultimately deploy trojans such as PlugX and Gh0st RAT.

Malwarebytes said it traced the fraudulent ads to two advertiser accounts named Interactive Communication Team Limited and Ringier Media Nigeria Limited that are based in Nigeria.

“It also appears that the threat actor privileges quantity over quality by constantly pushing new payloads and infrastructure as command-and-control,” Segura said.

The development comes as Trustwave SpiderLabs disclosed a spike in the use of a phishing-as-a-service (PhaaS) platform called Greatness to create legitimate-looking credential harvesting pages targeting Microsoft 365 users.

“The kit allows for personalizing sender names, email addresses, subjects, messages, attachments, and QR codes, enhancing relevance and engagement,” the company said, adding it comes with anti-detection measures like randomizing headers, encoding, and obfuscation aim to bypass spam filters and security systems.

Greatness is offered for sale to other criminal actors for $120 per month, effectively lowering the barrier to entry and helping them conduct attacks at scale.

Attack chains entail sending phishing emails bearing malicious HTML attachments that, when opened by the recipients, direct them to a fake login page that captures the login credentials entered and exfiltrates the details to the threat actor via Telegram.

Other infection sequences have leveraged the attachments to drop malware on the victim’s machine to facilitate information theft.

To increase the likelihood of success of the attack, the email messages spoof trusted sources like banks and employers and induce a false sense of urgency using subjects like “urgent invoice payments” or “urgent account verification required.”

“The number of victims is unknown at this time, but Greatness is widely used and well-supported, with its own Telegram community providing information on how to operate the kit, along with additional tips and tricks,” Trustwave said.

Phishing attacks have also been observed striking South Korean companies using lures that impersonate tech companies like Kakao to distribute AsyncRAT via malicious Windows shortcut (LNK) files.

“Malicious shortcut files disguised as legitimate documents are continuously being distributed,” the AhnLab Security Intelligence Center (ASEC) said. “Users can mistake the shortcut file for a normal document, as the ‘.LNK’ extension is not visible on the names of the files.”