Cyber Security Headlines: Pinduoduo malware, CFTC sues Binance, Twitter takes down source code

Pinduoduo malware confirmed

Last week we covered that Google suspended the app for the ecommerce giant Pinduoduo from the Play Store, over alleged malware in its app available on other platforms. Now the security firm Lookout confirms that versions of the app on third-party markets exploited a known privilege-escalation flaw. The app used this to download and run code on the device. Researchers said the app could add widgets to devices, tracking usage of other apps, see notifications and access location information. The malicious apps were signed by the same private key as the version on the Play Store. 

(Ars Technica)

Binance sued by CFTC 

The US Commodity Futures Trading Commission filed a lawsuit against the crypto exchange Binance and its CEO Changpeng Zhao. The filing claims Binance regularly broke derivatives rules, failing to register with the agency for several years. Other violations include instructing customers to use BVPNs to obscure locations and directing users to open accounts under shell company names. Binance’s records show that as of August 2020, it earned $63 million from derivatives transaction fees, with 16% of customer accounts in the US. 

(Bloomberg)

Twitter source code takedown 

Last Friday, GitHub complied with a DMCA infringement notice from Twitter that sought to remove proprietary source code and tools that had been published for months. Twitter now seeks a subpoena to search for those responsible for leaking and downloading its code. The DMCA notice says someone with the handle “FreeSpeechEnthusiast” is behind the leak. Twitter has indicated that GitHub should provide info about the access history for the leak as a solution for the copyright infringement. The leaker’s GitHub account appears active but no longer contains public repositories. It’s first contribution dates back to January 3rd. 

(Bleeping Computer)

Linus and YouTube’s hacking problem

YouTube channel Linus Tech Tips and two other Linus Media Group YouTube channels suffered account takeovers last week, with the attacker able to livestream crypto scam videos, change channel names, and delete videos. According to channel owner Linus Sebastian, the attacker sent over a PDF that someone in Linus Media Group’s team downloaded, because it looked like a sponsorship offer. That PDF included malware that accessed “all user data from both their installed browsers” — including session tokens — which gave the attacker “an exact copy” of the browsers that they could export without needing security credentials. 

This seems to be an increasingly common occurrence. The Verge found similar accounts seemingly takenover with the same scam in seconds. Sebastian says YouTube needs “better security options to change key channel attributes” like reauthenticating credentials to change a channel name. Sebastian also called out YouTube to make account recovery more transparent to creators, and to be more responsive to smaller channels.

(The Verge)

And now a word from our sponsor, Trend Micro

Cybersecurity is not just about protection, it’s about foresight, agility, and resilience. 

Navigating a new era of cyber risk demands evolved strategies, new frameworks, and integrated tools to equip security teams to anticipate and defend against even the most advanced attacks.  
 
Trend Micro, the global leader in cybersecurity is bringing the cyber risk conversation to more than 120 cities around the world in their latest “Risk to Resilience World Tour” — The largest cybersecurity roadshow of its kind.  
 
Find the closest city to you and register today to take a leap towards a more resilient future. Head to TrendMicro.com/cisoseries.

French government joins the app banning train

The government of France announced a new policy that bans all recreational apps from government issued phones. The country’s minister of transformation and public service, Stanislas Guerini, said no apps in the category showed robust enough security for government devices. So yes, this does include TikTok. The policy does provide exceptions for apps needed for official communications. The policy provided no clear timeline for removing the apps. This comes after several other nations banned TikTok on government devices. 

(The Register)

Nvidia comes down on crypto

Over the past several years, the chipmaker Nvidia showed a mercurial relationship with cryptocurrency. On the one hand, demand for GPUs to mine cryptocurrency fueled its revenue. On the other hand, it taxed GPU supply for other users, like gamers, resulting in the company producing cards designed for inefficient mining. However CTO Michael Kagan made their position a little more clear in an interview with The Guardian, saying crypto “doesn’t bring anything useful for society. AI does.” This comes as in recent quarters Nvidia’s datacenter and AI-focused business unit generated more revenue than its gaming GPU division. 

(The Guardian)

White House puts new limits on commercial spyware

President Biden signed an executive order placing limits on the use of commercial spyware by federal agencies. This bans spyware already misused by foreign actors or that could pose a security risk to the US. The order sets out guidelines for determining misuse and security risks, like using the spyware against activists. The order does not establish a ban-list of entities. Rather it will determine a spyware ban on a case-by-case basis, with no requirement for public disclosure. 

(The Record)

The security tradeoffs of splitting TikTok

In an editorial on TechDirt, former head of trust and safety at Twitter, Yoel Roth, outlined the potential cybersecurity repercussions if the US allows TikTok to operate under its Project Texas plan. This would separate off US TikTok users, ostensibly making their data inaccessible to its parent company ByteDance. Roth points out that this will limit the ability for a US-based TikTok to find and shutdown influence operations on its network. It would only be able to work from a limited set of user signals to analyze. Roth distills the problem down to “establishing geographic limits around a problem that does not respect geography.” Right now TikTok operates with 1.5 billion global users, but a US-only TikTok would be only 10% of that. 

(TechDirt)

Rich Stroffolino
Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. Since 2015, he's worked in technology news podcasting and media. He dreams of someday writing the oral history of Transmeta.