News update: October 3rd

by David Harley on October 3, 2018

Filip Truta for Bitdefender: Researchers use Android password managers to make phishing attacks more practical
“Simone Aonzo, Alessio Merlo, and Giulio Tavella from the University of Genoa and Yanick Fratantonio from EURECOM found that certain Android password managers can be tricked into entering valid login credentials into phishing apps. The trick even works with Google’s try-before-you-buy Instant Apps, which allows users to take apps for a spin without actually installing their contents on the device.”

Graham Cluley, also for Bitdefender: Even with the latest iOS 12 update, your iPhone’s lockscreen is unsafe
“Jose Rodriguez, who has uncovered vulnerabilities in iOS’s lock screen security on a number of occasionsin the past, has produced a video demonstrating an (admittedly convoluted) way of accessing information on locked iOS devices that really should be out of bounds.”

Lawrence Abrams for Bleeping Computer: Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones
Kaspersky has discovered that [Roaming Mantis Group] is testing a new monetization scheme by redirecting iOS users to pages that contain the Coinhive in-browser mining script rather than the normal Apple phishing page.

Pierluigi Paganini: Expert demonstrated how to access contacts and photos from a locked iPhone XS
“…Jose Rodriguez has discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could be exploited … (with physical access to the iPhone) to access photos, contacts on a locked iPhone XS and other devices.

The hack works on the latest iOS 12 beta and iOS 12 operating systems, as demonstrated by Rodriguez in a couple of videos he published on YouTube (Videosdebarraquito).”