Mobile Tax Apps Tax User Security

Tax season is almost always unanimously linked with unhappiness. Piles of crumpled receipts, coffee stained forms, and wasted weekends spent itemizing every purchase are just some of the unpleasant activities that are associated with this time of the year. Like many previously arduous tasks, mobile technology has made life a lot easier for many people, including those doing their own taxes. Companies like TurboTax and TaxSlayer created mobile apps with the intention of helping customers submit receipts, check on refunds, and much more.

But, you know what they say about good intentions…

The reality certainly rings true when it comes to using mobile apps for sensitive financial and personal activities. Oftentimes, usability and visually appealing interfaces are prioritized far above security precautions. In April, a Hewlett-Packard (HP) audit revealed that more than 90% of popular mobile tax and finance apps contained at least one potential security violation.

The flaws discovered by HP ranged from irksome to down right alarming, including accessing contacts, tracking a user’s location, storing sensitive data unencrypted, insecurely transmitting data, and unsafe cookie practices. In addition, many of these apps use data encryption methods that are known to have weaknesses—and you can guarantee that if the security industry knows about them, so do the hackers.

One of the biggest concerns with using mobile apps to store and perform sensitive financial activities is the potential connection to third-party storage. Users today often take the ability to share data seamlessly between mobile and desktop accounts for granted, but these features are normally made possible through cloud services. Checking the status of your tax refund on your mobile device is great, but accessing that information via digital pathways can also create many extra chances for someone to get ahold of Social Security and credit card numbers.

Like so many app safety issues we have covered before, consumers need to be aware of the app security limitations when it comes to storing financial and personal data. It is crucial to always review what information an app will have access to when downloading anything new, and once installed, users should also periodically check what data those apps are using.

Whether you are sending risky photos to a significant other through a chat app or checking your bank account, mobile app promises of security need to be taken with a grain of salt. This HP audit reveals again that in reality, the responsibility of user safety lies with the consumer instead of the companies that create the app.

In order to help keep personal information out of the wrong hands, it is important to be discerning about what gets stored on mobile phones and tablets—no matter how convenient or pretty the app. Additionally, extra security precautions like PIN codes and mobile security apps like McAfee Mobile Security for iOS and Android can go a long way towards keeping prying eyes out.

To keep up with the latest security threats, make sure to follow @McAfeeConsumer on Twitter and like us on Facebook.


The post Mobile Tax Apps Tax User Security appeared first on McAfee Blogs.

Beware of Impostor Android Apps Using Fake ID

Recently discovered, an Android vulnerability called Fake ID allows apps to impersonate other apps by copying their identity. Each app has its own unique identity, as defined by the developers, after they create their public/private key pair. This identity is a digital certificate used to cryptographically sign the app package (.apk file for Android) to be later verified by a tool or operating system for authenticity. Yet developers can copy an identity from another app, combine it with the new app’s identity to make a chain of certificates, attach that chain to the new app, and essentially “pose” as the former app. Given the nature of the vulnerability, it is likely that only malicious developers would conduct such activities. In addition, depending on which certificate details are copied, there could be a risk of the malicious application gaining more privileged access to the system or other running applications due to the trusted nature of some certificates.

At the heart of its security model, the Android operating system, like many other contemporary platforms, includes a component capable of verifying application packages via their signatures to ensure they match the app they are attached to. The Fake ID vulnerability fundamentally breaks this verification process and leaves the system unable to verify the authenticity of the certificate chain. This means that one application can claim to be issued by another application or identity. In theory the component should validate the certificate chain by checking the issuer signature of a child certificate against the public certificate of the issuer.

Depending on the behavior of the application installed–or of the certificate copied–and whether that has any default level of trust on the Android platform, data could be leaked from the device or other malicious activities could take place. Given the lack of warnings in all but the latest version of Android, a user would be none the wiser if an exploit had taken place.

Users of Android Versions 2.1, Eclair, through to 4.3, Jelly Bean, are vulnerable to this exploit, but the threat may depend on the hardware manufacturer or the applications on the system as to whether a malicious application could receive elevated privileges.

Google patched this vulnerability in the latest Android, Version 4.4.4, in April and has released the patch to OEMs. All users should make sure they have this version of Android on their devices or should take the measures noted below to make sure they’re not affected.

Depending on the hardware manufacturer and the version of Android, a user may be vulnerable to one or more privileged-attack vectors. Given that this problem relates to chains of certificates, a hacker could choose to include many certificates to cover all options, and more, in their specifically crafted malware.

  1. Install updates: Update your Google Android device to the latest OS–Android 4.4.4. This may be out of your control due to the nature of customization by Google OEMs and telecommunication carriers.
  2. Use security software: Especially if you cannot update your device to the latest version of Android, you could use a new tool provided by McAfee–Fake ID Detector–which enables you to quickly discover if your apps contain the exploit. Click here to download this free app. The McAfee Mobile Security suite will be able to check for the exploit in a future version, but the current version can protect against known malware samples using the vulnerability.
  3. Avoid untrusted app stores: You should know and trust the sources of the applications you are installing. Google has put measures in place to check for this exploit in any app before it becomes available in the market place. Avoid installing applications from third-party market places and especially those attached to or linked to in emails or text messages.


The post Beware of Impostor Android Apps Using Fake ID appeared first on McAfee Blogs.

Beware of the Risks of Online Gaming and Fantasy Football

August may mean the last days of summer vacation and start of back to school for some, but for die hard NFL fans it also means the return of football (American football that is). And for many this also means the start of their fantasy football league.

And though these fantasy teams are not real, the money and numbers behind them are real. The Fantasy Sports Trade Association (FSTA) reported that approximately $1.67 billion was spent on fantasy football in 2012 and in 2013, there were approximately 25.8 million fantasy football players in the United States. It’s one of the fastest growing industries in the United States and is projected to grow at an average annual rate of 7.6%. A quick Google search of “fantasy football” generates 397,000,000 results.

And why is this important? Because hackers are aware of these numbers and like anything else, they go where the numbers are. With fantasy footballers searching online looking for in-depth information on their players, you could be exposing yourself to risk. Participating in a fantasy football leagues and cyber gambling are two of the biggest attractors of cybercrime.

So as you’re getting ready to “get in the game,” make sure you’re aware of the risks:

Viruses and worms. These can take the form of attachments with emails or instant messaging. If you open an attachment, download something or install software that’s malicious, you’re in for a nasty surprise.

Malware. Malicious software can be installed simply by visiting an infected site. Crooks may use social engineering to lure you into visiting a website that then downloads malware and installs it on your computer or mobile device. Or searching for information on that cornerback that you think is going to be your “sleeper” could lead you to malicious sites as well.

Social interaction. This now comes with many online games (e.g., chat rooms, instant messaging), but it also comes with a heightened risk of infiltration by criminals. Thieves will find vulnerable spots amid all the workings of an online gaming community and get ahold of your personal information—which can lead to identity theft as well as maxing out your credit card. Gee, they can even pose as family members and trick you into sending them money or revealing private information.

So, what can you do?

  • Use caution when opening attachments or downloading files: If you receive an attachment in an email or instant message…think very carefully and hard before you open that attachment. If it seems to be from a familiar person, first contact that person (don’t hit “reply” to do this; do it separately) to verify that the individual sent you an attachment.
  • Keep things up to date: Make sure you keep your browser and operating system as well as any mobile apps, are up to date so you’re protected from any known security holes. And consider using browser protection, like McAfee® SiteAdvisor®, that protects you from going to risky sites.
  • Monitor app permissions frequently: Even good apps can go bad, which is why it’s important to monitor what and how much they have access to. Check app permissions to make sure they can’t get a hold of more information than they need. McAfee® Mobile Security for Android not only reviews permissions of downloaded apps, but also provides you with an app reputation report, based on a proprietary algorithm that takes into account the app category as well as the developer’s reputation.
  • Use long, strong passwords: Make sure your passwords use mix of upper and lower case letters, numbers and symbols and it at least 14 characters in length. Never use sequential characters on a keyboard or words that can be found in a dictionary. No matter how many passwords you need, each one should be different. For helping building strong passwords that are memorable, go to
  • Back up your data: Make sure to back up all of your data, and never wait too long in between making new backups.
  • Use comprehensive security software: A comprehensive security suite like McAfee LiveSafe™ service can detect and delete malware that finds its way onto your computer. It also comes with a password manager to help you remember all of your logins and browser protection to keep you from going to risky sites.

With the growth in mobile and social, fantasy football could become larger than the football industry itself, which will continue to attract the hackers, so make sure you stay abreast of the latest information to stay safe online!


RobertSicilianoRobert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

The post Beware of the Risks of Online Gaming and Fantasy Football appeared first on McAfee Blogs.

Adobe Flash Player Installer Scams Reappear on Google Play

Adobe Flash Player has been a boon to Android malware creators for a long time. These developers have taken advantage of Flash’s popularity to create premium SMS Trojans and droppers, as well as other types of malware. McAfee Labs has detected a common scam app–Android/Fladstep.B–on the Google Play store since the end of 2013. The malware tricks users into paying money via PayPal to install Flash Player. The malware is removed from the store every time it appears, but we have found that the same attacks are again on Google Play.



Examples of Flash Player installer scam apps on Google Play store.


Multiple apps claiming to be installers of Flash Player have been published by several app developer accounts since the end of June. The malware is short lived, but the total download count of those apps amounts to more than 50,000, according to Google Play statistics. These apps were quickly removed, but they reappear soon with different names and developer accounts.



A Flash Player installer scam app that has been just published.


When launched, this scam app simply opens a web page that requests users to pay a €5 fee via PayPal to install Flash Player. The web page is hosted on a server located in Turkey in some apps and the United States in other apps. If the user pays the fee with the PayPal account, the web page shows a download link to Flash Player that is the legitimate URL of Adobe’s download site.



The malicious web page requesting users to pay with PayPal for Flash Player installation.



PayPal payment screen.


In short, victims are tricked into paying money for a free download. The scammer might claim that the installer app provides an “added value” to automatically detect the version of the Flash Player appropriate to the user’s Android OS version, but this version identification is easy to do by checking Adobe’s download site.



The download link shown after payment points to the real Adobe download site.



The Flash Player downloaded from the Adobe’s site.


Another sin of this scam app is that the app’s description page on Google Play shows some screen images including one that implies the user can get both Flash Player and its “tutorial.” However, no tutorial is supplied, even to users who pay; they get exactly the same package as everyone else.



The screen shot on Google Play that promises a tutorial.


Last, paying with PayPal gives the user’s name and email address to the app developer, who can easily collect and abuse the personal information of these victims. Those who are careless enough to be scammed even once can easily be targeted in future scams.

Flash Player will continue to benefit malware authors due to its popularity. And this type of scam will continue because criminals can easily and directly get money from their victims using popular online payment services. Users should be very careful about the sellers of products when using online payments, for example, by checking that the name and contact information of the company or seller is explicitly displayed and that the product is really what they want to buy.

McAfee Mobile Security detects these Android scam apps as variants of Android/Fladstep, and also blocks browser access to websites hosting this scam.

The post Adobe Flash Player Installer Scams Reappear on Google Play appeared first on McAfee Blogs.

European Spammers Set Their Sights on Android Devices

These days, thanks to advances in technology and an overwhelming amount of options, many of us choose to order items online in favor of walking into a brick and mortar store to make a purchase. Unfortunately, malware has caught onto this and is exploiting the trend on both mobile and desktop environments.

Email spam messages that pose as tracking notifications from shipping companies such as DHL, Express, FedEx, or UPS have become one of the most common methods for distributing this kind of malware. Most recently, criminals utilized these tactics in two cases in Europe.

The first mobile spam campaign specifically targeted German users via text messages. In this case, a text message containing a fake DHL tracking notification was sent to Android users that when downloaded and installed, distributed malware. For a more in-depth look at how this malware operates, read this recent McAfee Labs™ post.

The second one, in Poland, was a more traditional spam campaign involving email. This method targeted users by sending them an email, allegedly from a bank, alerting them that malware had been detected on their mobile device. The offending email contained an attachment claiming to be from a well-known security company designed to detect mobile malware. Unfortunately, this attached app was in fact the malware itself, and when downloaded, it distributed a new variant of an Android remote access tool (RAT). The McAfee Labs team discovered this particular threat.

In both of these cases, if successful, the malware was released onto the unlucky victims’ smartphone and was able to remotely execute the following commands:

  • Leak sensitive device information such as contact list, phone number, device model, call logs, browser history and more.
  • Send messages using data (phone number and text) provided by the remote server.
  • Interfere with incoming messages.

These text and email spam campaigns are becoming an increasingly popular way to distribute Android malware, steal personal information, or even gain complete control over a mobile device.

McAfee® Mobile Security, free for Android and iOS, detects both of these threats and others like it. The Android version alerts users if a threat is present and protects them from any potential data loss. iOS users can get backup and recovery for contacts, photo and video protection, as well as location tracker.

To keep up with the latest security threats, make sure to follow @McAfeeConsumer on Twitter and like us on Facebook.


The post European Spammers Set Their Sights on Android Devices appeared first on McAfee Blogs.