An infamous cyber-mercenary group is injecting Android devices with a spyware to steal users' conversations, new ESET research has found.
Known as Bahamut ATP, the group is thought to be a service for hire that typically launches attacks through spear phishing messages and fake applications. According to previous reports, its hackers have been targeting both organizations and individuals across the Middle East and South Asia since 2016.
Estimated to have begun in January 2022, ESET researchers believe that the group's campaign of distributing malicious VPNs currently remains ongoing.
(Image credit: ESET Research) From phishing emails to fake VPNs
"The campaign appears to be highly targeted, as we see no instances in our telemetry data," said Lukáš Štefanko, the ESET researcher who first discovered the malware.
"Additionally, the app requests an activation key before the VPN and spyware functionality can be enabled. Both the activation key and website link are likely sent to targeted users."
Štefanko explains that, once the app is activated, Bahamut hackers can remotely control the spyware. This means that they are able to infiltrate and harvest a ton of users' sensitive data.Read more
> State-backed Iranian hackers spread malware through links to fake VPN apps
> How to prevent phone hacking and remove intruders from your device
> Our pick of the most secure VPN providers around right now
"The data exfiltration is done via the keylogging functionality of the malware, which misuses accessibility services," he said.
From SMS messages, call logs, device locations and any other details, to even encrypted messaging apps like WhatsApp, Telegram or Signal, these cybercriminals can spy on virtually anything they found on victims' devices without them knowing it.
ESET identified at least eight versions of these trojanaized VPN services, meaning that the campaign is well-maintained.
It is worth noting that in no instance was malicious software associated with the legitimate service, and none of the malware-infected apps were promoted on Google Play.
The initial distribution vector is still unknown, though. Looking back at how Bahamut ATP usually works, a malicious link could have been sent via email, social media or SMS.What do we know about Bahamut APT?
Despite still being not clear who's behind, the Bahamut ATP seems to be a collective of mercenary hackers as their attacks don't really follow a specific political interest.
Bahamut has been prolifically conducting cyberespionage campaigns since 2016, mainly across the Middle East and South Asia.
The investigative journalism group Bellingcat was the one first exposing their operations in 2017, describing how both international and regional powers actively engaged in such surveillance operations.
"Bahamut is therefore notable as a vision of the future where modern communications has lowered barriers for smaller countries to conduct effective surveillance on domestic dissidents and to extend themselves beyond their borders," concluded Bellingcat at the time.
The group was then renamed Bahamut, after the giant fish floating in the Arabian Sea described in Jorge Luis Borges’ Book of Imaginary Beings.
(Image credit: Shutterstock)
More recently, another investigation highlighted how the Advanced Persistent Threat (APT) group is increasingly turning on mobile devices as a main target.
Cybersecurity firm Cyble first spotted this new trend last April, noting that the Bahamut group "plans their attack on the target, stays in the wild for a while, allows their attack to affect many individuals and organizations, and finally steals their data."
Also in this case, researchers stressed the cybercriminals' ability to develop such a well-designed phishing site to trick victims and gain their trust.
As Lukáš Štefanko confirmed for the fake Android apps incident: "The spyware code, and hence its functionality, is the same as in previous campaigns, including collecting data to be exfiltrated in a local database before sending it to the operators’ server, a tactic rarely seen in mobile cyberespionage apps."
Several tax prep services have been found sending sensitive financial information to Meta, including people’s income, filing status, and even amounts won in college scholarships.
The information comes via an investigative report from The Markup, which claims that Meta Pixel implementation in tax filing services has led to unintended data collection on Meta's part.
As it turns out, way more information than user activity was being sent, and all without user consent. Names of filers, dependents, email addresses, and in some cases, phone numbers were among the leaked financial data. And it doesn't matter if those users didn’t have an account on any Meta-owned platform. Meta can still use this data to bolster its own advertising algorithm, according to the report.
Google was also implicated in the report, but that situation appears less dire. A Google spokesperson states the data collected is all jumbled and can’t be tied to a specific person.Mixed messages
After looking through the report and the various statements made, there are a lot of mixed messages coming from the companies. Actions aren't aligning with statements.
According to Meta’s own help center page, the tech giant prohibits other companies from sending financial data; however, information on people’s income was still received. Tax filing services did give users the “option to decline to share tax information”, but that didn’t matter because, again, the data was still sent and received.
Various spokespeople said the tax filing services they represent didn’t know Meta Pixel was sending so much information.
Now, however, several companies are changing how they use the code. TaxAct, one of the mentioned services, will no longer transmit financial details to Meta but will still send the names of dependents. Both TaxSlayer and Ramsey Solutions have removed the code from their websites. Others, like H&R Block, will continue sending information on “health saving accounts and college tuition grants.”
The Markup calls into question these services' claims that they didn’t know Meta Pixel was sending all this data. There is evidence, the report notes, to suggest TaxAct purposely configured the Pixel code to transmit certain dollar amounts as “parameters to a custom event,” allowing them to be tracked. We reached out to TaxAct and asked if it would like to make a statement about The Markup’s claim. This story will be updated if we hear back.
Currently, there’s no indication any of the information collected has been misused. It’s also unknown if any of the companies involved will face any kind of penalty. The Internal Revenue Service (IRS) has so far declined to comment on the situation, according to The Markup.In trouble again
This isn’t the first time Meta Pixel has gotten its parent company or others into trouble. The tech giant is currently facing multiple lawsuits from across the United States over the Pixel code allegedly being used to collect people’s health data and serve them targeted ads. One complaint comes from Illinois where it accuses Meta and Advocate Aurora of “intercepting, accessing, and disclosing… patient health information…”
We also asked Meta if it had a statement about The Markup’s report and if there are plans to change the Pixel code given recent controversies. Again, we’ll update this story if we hear back.
- Check out TechRadar’s guide on what to do if your tax information gets stolen
In an effort to better protect underaged users, Meta is adjusting the default privacy settings on Facebook and Instagram to limit contact by “suspicious adults.”
Now, whenever a teenager joins Facebook, their account will automatically have more stringent privacy protections. This includes, but is not limited to, deciding who can see their friends list, what pages they follow, and who is allowed to comment on their posts. For accounts created before this update, Meta states it will begin pushing those users to adopt those same settings, but won’t force it. If all this sounds familiar, that’s because Instagram implemented very similar changes back in 2021 to protect young people there.Power to the user
Meta goes on to say it’s working on new ways to stop blocked and reported accounts from contacting underaged users.
One way it'll do this on Instagram is by, as part of a test, removing the message button, making it impossible for predatory adults to use Instagram messaging to contact teen users directly.
Plus, the People You May Know recommendations feed on Facebook will also no longer display these flagged accounts.
Coming to both Messenger and Instagram is a new notification encouraging teenagers to use safety tools anytime they feel “uncomfortable” during a conversation. One notification will ask users if they know the person who just messaged them. If ‘No’ is chosen, both apps will bring up a series of actions they can take, like blocking the account or reporting them.
According to the announcement, the new Facebook default privacy settings are rolling out today (Nov. 21); presumably, so are the other changes. We reached out to Meta for clarification. This story will be updated if we hear back.
In addition to the update, Meta announced it’s partnering up with the National Center for Missing and Exploited Children (NCMEC) to create a new platform to “prevent [teenagers’] intimate images from being posted online” and spreading across the internet. It aims to help underaged users “regain control” of these leaked images while also discouraging those acts in the first place.Mixed messaging
While it’s great to see more security features being added, Meta’s recent track record on privacy has been confusing. On one hand, the company improved Instagram’s blocking system to stop trolls from harassing you further back in October. But at the same time, the platform implemented a new precise location feature that can make users vulnerable to stalkers or theft.
It’s a rather mixed message that could lead to privacy problems for all users; especially teenagers. Because of that, be sure to check out TechRadar’s best parental control app for 2022.
Wix has released a new SEO tool that it says will let users review and edit meta tags for each page, as well as URL slugs, indexability and open graph tags.
Available now, the update gives businesses the option to customize SEO-related elements such as structured data markups from one single settings page - the Wix dashboard.
Wix says its users can use the new SEO settings for main website pages and product pages, and are working on making it available for blogging sites.Wix SEO update
Over the last two years, Wix has focused heavily on advancing its SEO offering that’s attached to its popular website builder service.
With the aim of giving its users the tool to compete on search engines, Wix says it has focused on making this new tool house SEO features on a single page on its Wix Editor. This will provide users with a full picture of all their meta tags, giving a better understanding of what needs improving and customizing.Read more
“The SEO Settings tool helps users apply the same SEO logic to many pages at once,” Wix said in a written PDF emailed to TechRadar Pro.
“Instead of editing a single page’s settings, it allows users to customize the settings that apply to the whole section, folder or collection of pages, all at once. This way, users can create a systematic SEO strategy much quicker, and optimize their pages at scale. These basic settings include defaults meta tags for each page type, social preview, and more info about their pages’ structured data.”
TechRadar Pro has reached out to Wix to find out what sort of SEO pain points its users experienced that led to the development of the new update, but the company is yet to provide a response.
- Here's a list of the best cheap website builder deals out there
Microsoft has officially marked a frustrating printer bug as resolved, and those folks who were being blocked from upgrading to Windows 11 22H2 due to the compatibility issue will doubtless be pleased to hear that.
You might recall this seriously troublesome bug that emerged in late September 2022, forcing printers to revert to their default settings. By default, many important features weren’t available – we’re talking about printing in duplex, higher resolutions, and maybe even color, which could obviously be major stumbling blocks.
The good news is that as Neowin spotted, Microsoft officially marked the issue as resolved just a few days ago (November 18). In actual fact, the safeguard blocking devices which could run into this bug was removed a week previously – therefore allowing those machines to update to Windows 11 22H2 – though it could still take some time for the upgrade to come through.
At this point, though, any machine with a connected printer that could fall prey to this bug should be able to go ahead and upgrade to 22H2 successfully without waiting.
Microsoft observed: “Any printer still affected by this issue should now get resolved automatically during upgrade to Windows 11, version 22H2.”Analysis: A rocky road, for sure
This has been a bit of a rocky road for those with an affected printer wishing to upgrade to Windows 11 22H2, of course, as the bug has hung around for quite some time. As noted, it was two months ago that it first came to our attention, so this has hardly been a quick fix.
With a lot of questions being asked about the prevalence of Windows 10 bugs in the past, and now Windows 11 apparently continuing with a worrying amount of problems in terms of quality assurance, the whole affair isn’t a great look for Microsoft. Yes, we’ve banged this drum many times, but we’ll continue to do so while bugs like this printer-related gremlin – or other flaws such as File Explorer crashing or slowing down Windows 11 PCs – are still popping up far too often for our liking.
If you’ve been suffering at the hands of a gremlin in the works with Microsoft’s latest OS, be sure to check out our guide to solving common problems with Windows 11.
Users have been moving away for a variety of reasons, such as Twitter's subscription service Blue being made available for $8 / £7 / AU$9 and offering Blue Ticks to subscribers, before hastily being taken away after a few days, and an increasing number of bugs plaguing users, such as the app crashing, and images refusing to load, which I've been experiencing lately.
Hive has recently been touted as another alternative, looking like a cleaner version of Mastodon's official app, and it comes with some nice additional features, such as the ability to add music to your profile. Yet there's something about Mastodon's community that keeps pulling me back to that social media platform and trying out the different third-party apps that developers have been working on to make it more user friendly.
However, while Mastodon is more welcoming to new users, there are still three features it quickly needs to do in order to be the successor to Twitter, before another platform like Hive overtakes it.1. Redesign and rename 'Servers'
(Image credit: TechRadar)
While it's become easier to log in and sign up to a Mastodon server, by using the term 'Server', Mastodon is in danger of alienating a bunch of new users, as it may sound too 'techy' or complex.
Instead, the team could name it 'Communities' and perhaps have new users automatically join one so they can try out the service. The feed in this 'Community' could then show new accounts how to use Mastodon, while also allowing existing users to share tips and advice with newcomers.
Users want to connect to each other without much effort, and Mastodon still requires a lot of this - and that needs to change quickly.2. Add some color and shine
(Image credit: TechRadar)
Currently, the design of Mastodon is too sharp, too angular and too dark. If you switch to dark mode in the official app, it's almost a carbon copy of Twitter, especially with the icons.
I want to see ways to customize the user experience in Mastodon by letting users change the fonts and colors, similar to how Bebo, a social platform from 2008, would let you.
This would give Mastodon a lot more personality, as users could design and share their profiles with others. It would also be a nice break from Twitter's rather dull profiles, which all look the same.3. Make it fun
(Image credit: TechRadar)
Not only do we use these apps to keep in contact with family and friends, but it's also to have fun.
Mastodon lacks this at the moment, and for young people that could be an issue. For example, if images in a post fail to load (which I've noticed has been happening frequently), Mastodon ends up looking rather plain and boring, which could put a lot of people off.
Let's see some new features to better differentiate it from Twitter, Discord and Hive, such as being able to edit posts, or ways to choose different fonts and colors to make what you share really stand out.
Apart from Twitter Spaces, there's not a lot of difference between Twitter and Mastodon once you get past the login screen, and that needs to change to appeal to a bunch of new users who are growing tired of Musk's almost-daily (and increasingly chaotic) announcements on Twitter.