Week 10 Show Notes: Amazon Fixes Major Flaw and Android malware takes over your Facebook

00:00:05 Carl 

Simple cyber defense security updates for August 13th, 2021 

00:00:35 Carl 

Welcome back to the simple cyber defense. This week we’re going to be talking about 2 mobile devices vulnerabilities, one being in the Android Kindle app and another being an Android malware that attacks your Facebook account. Let’s get into it. 

00:01:00 Carl 

My name is Carl. I’m joined with, 

00:01:02 Ahmad 

Hi, my name is Ahmad. 

00:01:04 Carl 

And we’re going to get started right now, so. We want to get started with the Android Tech or the Kindle Tech? 

00:01:12 Ahmad 

No, tell the Amazon one. Yeah, sorry. 

00:01:17 Ahmad 

On August 9th there was a reporter from Checkpoint. Checkpoint is a is a large. Cyber security company and what he did is he found that the release of report that your Amazon Kindle reader could be open to hacking through free ebooks that you can download from the store and the thing is, you know, it’s, uh, there is a very huge audience out there where people just take free stuff just because they’re free. You know you’ll see a lot of people that download a lot of apps and books and music on their phones. It’s because they’re free. 

00:01:57 Carl 

But usually, it’s free for a reason. 

00:01:59 Ahmad 

Yeah yeah, and one thing is if a product is free, one thing you have to understand is you are the product. And then it’s, you know, even when it’s legitimate, like things like Twitter and Facebook and other social media stuff, you are the product. Yeah, it’s free for you to use, but how do you think they’re making those billions and billions of dollars you know, create a profile overview of you and then these self-advertisement that’s pretty enabled. 

00:02:22 Carl 

And track you around all the place. 

00:02:24 Ahmad 

Yep, Yep, uh, and you know Amazon is no different. You know Amazon is as much of a technology company as it is a consumer products company and one of the you know, the very their most popular products is the Kindle. You know, as far as eBooks, it’s cheap, it’s reliable, it works. And because it is popular, it opens the doors for security risks. You have a lot more people using that product, so there’s a lot more people that will that you have a bigger market. 

Uhm, what checkpoint said is that a malicious book can be published and made available free on the E library, including, you know, a Kindle store or you can even sideload it via self-publishing, so you don’t even need to pay a publisher. You can self-publish that book and that book, uh, you know is well disguised in a malicious software and disguises itself inside that book, and then when that book is successfully installed, that eBook can expose information which is like your personal identifying information, billing information, account information, credit card information, etc. This information can then be used to do phishing attacks against the owner. Now if somebody is able to put any type of malware on any device, that metal work can do anything, we don’t have to wait for phishing attacks. You know that you can get into your network, and you can get all your information directly from your Kindle. Uhm, like the good thing is,  

Amazon did address that vulnerability, and they released a patch which you know we can download your computer or on your Kindle. You go to your to your home screen, you tap the menu icon, you tap settings and then in the settings area you tap update, and our entry is called patch management, right? And this is something that must, and we can’t stress this enough. We talked about security as layers, and we talked before about VPNs and we talked about you when you’re using a vault for your password. And now the next thing. It’s just as important as system updates, software updates. Anytime you get an update, do not wait, turn your auto update on for everything. 

If you don’t have auto update turned on, make sure you put it on your calendar. Hey, I’m going to check updates every month or every two or twice a week. Yes, updates are rolled that frequently because they’re just like there are engineers rolling updates, there are people on the other side of that trying 

to attack and see how they can get in and reverse engineer those software on those applications. So, everybody be careful out there, protect your information and protect your private information online and be safe. 

00:05:13 Carl 

And one thing I’d like to add is just because your device doesn’t see an update doesn’t necessarily mean that it’s not vulnerable, because some devices are actually outside their what they call the life of the product, like some, like a lot of older Android devices would never get any updates, because they’re just so old that Google has abandoned them. And so, if you if your device doesn’t receive updates for more than like, six months I’d probably go online and see if the vendor is actually still supporting your device, and if you can, probably just upgrade to a newer device, or if not, be a little bit more careful and be cautious of what you download on that device, ’cause chances are if it has a vulnerability, it’s never going to get patched. 

00:06:08 Ahmad 

Right, and also if you are going to trade in a device or sell, we don’t recommend it, but if you do, make sure you reset it and wipe it. You know it’ll take somebody very technical to be able to retrieve that information. There’s a lot of devices out there that get sold or traded in, and they’re not even factory reset. 

00:06:29 Carl 

Yeah, now you could just open it up and have all the data right there. 

00:06:35 Ahmad 

Alright, so is there anything else you want to add to this? 

00:06:39 Carl 

No, no, alright. So, we’ll move on to the Android apps that hijack your Facebook account. 

Starting around March 2021, Google had noticed that there were some particular apps that were able to hijack people’s Facebook accounts the way they did this was they had a little an application they gave out for free again. Free information, free apps and what the app creator did was he injected some triggers, so that either you click on a particular ad or it told you hey, vote for your favorite soccer player, or some something like that, and then when you clicked on that it opened up a page that kind of looked like a Facebook login, so you would log in thinking hey is this Facebook? 

For whatever reason, you have to log into Facebook to make this valid or this poll or whatever they’re telling you. And then once you put in your Facebook credentials, an error page will pop up, either saying that the product that you’re looking for is no longer there or that the 

poll has closed or something like that. But in the back end there’s JavaScript running, and they’re stealing all of your info. They’re stealing you username and password, and if you use the two FA, they’re also stealing that token too, and automatically populated into Facebook and taking over your account. 

The way they do this is by having little computer bots so they can do this really fast within seconds of you putting in your information. And once they have your account, what they’ll do is go through all your contact list, send them links. Say hey I voted for this particular whatever poll, or I got this free product, click this link and you can get it too. Or you can vote in the poll too and then once your friends click the links their Facebook account gets hijacked the same way. 

So far, Google has addressed this and took out a lot of different apps that had this problem going on with it. The problem is still persisting because a lot of people are using third party apps or app stores, and they’re sideloading the apps in there so that they’re bypassing the Google Protection things that Google has in place for their Play store. I know there are some situations where going through a third party is beneficial for the user. But if you are going through that, I would be very cautious of what apps you install and even go a step further. 

Even with Google Play, because there have been instances like these particular apps that actually did get into the Google store. And I would suggest actually scrutinizing them too, one thing you could do is you can go online and search for that particular app that you wanted to download and put in the app’s name plus malware and see if anyone has reported any malicious activity based upon the apps. Because a lot of the researchers are also looking into these apps to see if they’re malware or not, and if they do find malware apps, they are more likely to not only contact Google to get them off the Google Play store, but also publish on their blogs or wherever, saying, hey, we found this situation where this app does something malicious. Don’t download itI If you do have it, delete it and whatnot. 

Luckily, most of the people who were victims of this were able to get their Facebook account back, but the question is, how much damage has been done? Because they got their account back, there’s no telling if all their Facebook data get scraped? They don’t know. So far, evidence hasn’t been shown that, but because the hackers are using legitimate logins. It’s hard for Facebook to say, OK, was this the user or was this the hacker? They may have also not only passed out the invitations to your friends, but they also might have scraped your entire Facebook account and have all your private data for them to do whatever they want.  

With maybe do another phishing campaign where they have you click on another link and then they hijack your bank account or. Who knows, the sky is the limit when they have that information. 

So, is there anything you want to add to it? 

00:11:50 Ahmad 

Well, just one of the things that kind of like caught my attention is it creates a botnet. It’s, uh, it’s some version of a botnet, right where? Yeah, it doesn’t just hijack your computer or your account, it hijacks everybody that would accept that invitation from you. Yeah, right this is. And this is where you know where the danger lies. Because if I’m getting something from somebody I trust. I’m just gonna automatically click on, right? So, one of the things that we all I always tell you, know my friends or people who are not well versed in this is if you get a link from somebody that you trust, but it doesn’t seem because it will seem like something awkward. 

00:12:22 Carl 

Be more apt to click on it, Yep. 

00:12:39 Ahmad 

You know, it will seem like, oh, this is. This is an advertising. Why would my daughter send me something like this when my friends send me something like this? Don’t click on it. If it looks legitimate and it looks like Google or it looks like a Facebook go and type that URL in in the search bar instead of clicking on it, because you could replace 1 character and you know you may not see it, so that’s disappointing. Yeah, and I just wanted to check on that real quick. 

00:13:03 Carl 

Or even sometimes what they’ll do is the text will have the correct URL in there, but then once you click it, because the way links work, you can actually have a different type behind there and say OK when he clicks this text go to this website, which is completely different from what you clicked. So, it may say facebook.com or whatever, but then when you click it may be fakebook.co.exe or whatever. And then you’re in the malicious site. 

00:13:45 Ahmad 

Yeah, and sometimes all it takes is you just to click that link for the script to, you know, to excuse. 

00:13:50 Carl 

Activate yeah. 

00:13:53 Carl 

And a lot of times what I would tell my friends is if you get something from me and even if it does look legit. Text me or call me on a different platform so that you know that you’re getting to me and say hey did you send me this? And like I could say yes or no or whatever, so just make sure it’s on a separate platform, or a text message or something that’s outside where you got the message so that way it’s not a situation where the attacker has your account, and if you contact me through that same account and the hacker has control of it, of course he’s going to say, yeah that was me, click on it no problem, but if you give me a text that’s 

outside that network, outside his control, and I say no, that’s not me. Then you won’t click on it. 

00:14:43 Ahmad 

Right! 

00:14:46 Carl 

So yeah, so in this case the best thing to do is just to try to be more vigilant of what applications you download. Make sure you stay away from third party downloads as much as you can and just take the extra step to actually just research this particular app just to make sure that it doesn’t have malicious. 

Uh, malicious code in it, And again, just verify it. It takes like 2 seconds to just verify to see if your friend or parent or whoever actually did send you that link. Because like you said, if you just click it once they got you. But it just takes a few seconds. Say, hey Bob, did you send me this? If yes, everything is fine, if they say no, throw it away. Don’t even think about it, you just probably tell them, hey, your account may be compromised. Can you change your password or something, yeah? 

Alright, so is there anything else you want to add? 

00:15:52 Ahmad 

No, this isn’t it. 

00:15:53 Carl 

Nope, alright, so I guess this concludes this week in simple cyber defense. You can reach us on all many of the different platforms, Facebook, Twitter, YouTube and many of the podcasts out there. 

And we look forward to seeing you in the next episode. 

00:16:14 Carl 

If you like what was in this episode, please consider liking subscribing and sharing with others. For more information to suggest a topic or to donate, head over to simplecyberdefense.com. 

 Links:
Amazon Fixes Flaw on Kindle – https://www.news18.com/news/tech/amazon-fixes-flaw-on-kindle-that-couldve-allowed-hackers-steal-billing-data-4066439.html
Malicious Android apps try to hijack your Facebook account – https://www.techrepublic.com/article/malicious-android-apps-try-to-hijack-your-facebook-account/
Flytrap Android malware hijacks thousands of Facebook accounts – https://www.vpnranks.com/blog/flytrap-android-malware-hijacks-thousands-of-facebook-accounts/