A malicious app impersonating the legitimate ‘WalletConnect’ project was available on Google Play for five months, amassing over 10,000 downloads. The fraudulent app, designed to drain cryptocurrency from unsuspecting web3 users, managed to steal approximately $70,000 from victims before being taken down.
The app posed as an official WalletConnect application, despite no such app existing on the Play Store. WalletConnect, a widely-used protocol that allows users to connect decentralized applications to their crypto wallets, does not offer a dedicated app.
George McGregor, VP, Approov Mobile Security had this to say:
“This is an example of a massive issue. Both iOS and Android are affected by fake apps. HarmonyOS and the Samsung Galaxy Store are not immune to the issue. The problem is significant enough that it impacts users of all major mobile operating systems. Despite security measures, and claims to the contrary, fake apps can slip through on all mobile platforms. Official app stores like Google Play and the Apple App Store are overwhelmed struggling to address this issue, despite having extensive app review processes in place.
“Some scammers have found ways to exploit the Apple App Store process by initially submitting apps in specific languages for certain countries, then gradually expanding to other markets.
As regulations like the EU’s DMA (Digital Markets Act), the UK’s DMCC (Digital Markets, Competition and Consumers Act 2024), and Japan’s SSCPA (Smartphone Act) kick in, more apps will be available outside of official app stores and security based on official app stores will become even more irrelevant than it already is.
“So, fake and unauthorized apps are a significant and growing problem. Common advice is that USERS should protect themselves: remain vigilant, carefully review app permissions, be wary of suspicious reviews or download numbers. But the reality is that all platforms face challenges with fake reviews and artificially inflated app rankings, which can make it difficult for users to identify legitimate apps. It is unrealistic to expect users to protect themselves from fake apps.
“In fact it is critical that app developers must put solid security in place – this means a zero trust runtime security solution that immediately identifies and blocks fake apps before they even try to access an API. “
This highlights the fact that users need to be vigilant about what they download. And that’s on top of app marketplaces needing to tighten up on their security to avoid this scenario from happening.
CISA Warns Of “Unsophisticated” Attacks Targeting Industrial Systems
Posted in Commentary with tags CISA on September 28, 2024 by itnerdThe CISA put out an alert that caught my eye yesterday:
CISA continues to respond to active exploitation of internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including those in the Water and Wastewater Systems (WWS) Sector. Exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm.
CISA urges OT/ICS operators in critical infrastructure sectors to apply the recommendations listed in Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity to defend against this activity. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage. For more information and guidance on protection against the most common and impactful threats, tactics, techniques, and procedures, visit CISA’s Cross-Sector Cybersecurity Performance Goals.
The word “Unsophisticated” is what caught my eye. That’s because this warning comes after the Arkansas City water treatment facility cyberattack:
The City of Arkansas City revealed that its water treatment facility had been breached on September 22. The city notified relevant authorities and moved the water plant to manual control to ensure safe operations.
Evan Dornbush, former NSA cybersecurity expert had this comment:
“CISA’s guidance of recommended practices may be ideal for defenders who are well staffed or are perhaps building out new networks.
“In terms of overall practicality, changing default passwords and patching and moving HMI devices behind firewalls or hardened VNC can be laborious.
“Keeping with defense in depth philosophy, it may be more efficient for established OT/ICS operators to add a network detection capability to their existing infrastructure. Using modern advancements in computation, the market is full of quality options for those looking to glean intelligence from their network data.
“Subscribing to a cyber threat intelligence platform is another low-friction avenue. Those purport to increase awareness of known exploited vulnerabilities (KEV) which can help steer defenders towards highest priority infrastructure.”
I truly hope that organizations take these warnings seriously. There’s enough evidence out there that should suggest that not doing so will end badly for all concerned.
Leave a comment »