Weekly Roundup: Android Google App Bug, Backdoor on 2G Networks & Carnival Cruise Cyberattack

Today’s Top Security Roundup includes:

•         Security Bug in Google’s Android App
•         Carnival Cruise Cyber-Torpedoed by Cyberattack
•         2G had a backdoor because of export control regulations

 

Security Bug in Google’s Android App Puts User’s Data at Risk

Google’s very own Google app for Android has over 5 billion installations. The app is regularly used by hundreds of millions of people who make thousands of search queries per second. While the app is super useful, it does pose a security risk.

Google’s Android app had a bug that could have let a malicious app on your phone gain extensive permissions on your device. The attackers have exploited the flaw and potentially gained access to data like a user’s Google accounts, search history, email, text messages, contacts, and call history, as well as being able to trigger the microphone and camera and access the user’s location.

A Google spokesperson said:

Google has fixed the vulnerability last month and had no evidence that the flaw has been exploited by attackers. Android’s in-built malware scanner, Google Play Protect, is meant to stop malicious apps from installing. But no security feature is perfect, and malicious apps have slipped through their net before.

Google isn’t new to vulnerabilities and exploits. Founder of the mobile app security startup Oversecured, Sergey Toshin, says that any malicious app present on the smartphone would have to be launched at least once for the attack to work.

However, the sophisticated attack takes place without leaving a footprint for the victim. With no knowledge of the attack or a prompt message requiring consent, users are unaware of the damage that is taking place in the background.

What’s disturbing is that deleting the malicious app doesn’t remove the malicious components from the Google app. This should be a wake-up call for users who download apps without verifying the developer or confirming the app’s credibility.

Carnival Cruise Cyber-Torpedoed by Cyberattack

One of the largest international cruise lines, Carnival Cruise, has been a victim of a massive cyberattack. This is the fourth time in a bit over a year that Carnival’s admitted to breaches, two of them being ransomware attacks.

Hackers were able to breach email accounts and access personal, financial, and health information of guests, employees, and Carnival’s crew.

Carnival Cruise issued a data breach notification to the affected customers saying:

“It appears that in mid-March, the unauthorized third-party gained access to certain personal information relating to some of our guests, employees, and crew. The impacted information includes data routinely collected during the guest experience and travel-booking process, or through the course of employment or providing services to the company, including COVID or other safety testing.”

Later on, Roger Frizzell, Carnival’s SVP and chief communications officer, affirmed that the attackers were also able to gain access to “limited portions of its information technology systems.”

While Carnival Cruise claims that there’s a low likelihood of the misused data, there’s no guarantee that it hasn’t already been misused or may get mishandled in the future. It’s a daunting risk providing personal information to entities that cannot secure their digital infrastructure and keep users’ private information safe.

As a Carnival guest, you must weigh the cost of having your valuable information be part of a data breach against the joy you would have on the cruise.

2G had a backdoor because of export control regulations

A recent research paper claims that the GEA-1 algorithm used in 2G networks had what appears to be a backdoor built into it, meaning mobile devices were potentially vulnerable for years.

Organizations that developed GEA-1 admitted the severe weakness but said that it was introduced due to ‘export control regulations’ as the export regulations at the time did not allow for more robust encryption.

By reverse-engineering the algorithm, researchers claimed that the backdoor appeared to be deliberate and agree that the lower security level of 40 bits was put in place due to export regulations.

Although the outdated algorithm isn’t standard anymore, the threat to devices using 2G still exists. With the introduction of 3G and 4G, the out-of-date 2G standard doesn’t pose that big a threat. Moreover, export regulations no longer purposely require companies to weaken encryption, meaning the current security standards are far more secure.

Knowing the latest happenings and staying updated is crucial to dodge vulnerabilities existing online.