The popularity of AI-based mobile applications that can create artistic images based on pictures, such as the “Magic Avatars” from Lensa, and the OpenAI service DALL-E 2 that generates them from text, have increased the mainstream interest of these tools. Users should be aware of those seeking to take advantage to distribute Potential Unwanted Programs (PUPs) or malware, such as through deceptive applications that promise the same or similar advanced features but are just basic image editors or otherwise repackaged apps that can drain your data plan and battery life with Clicker and HiddenAds behaviors, subscribe you to expensive services that provide little or no value over alternatives  (Fleeceware), or even steal your social media account credentials (FaceStealer).

Dozens of apps surface daily claiming to offer AI image creation. Some of them might be legitimate or based on open-source projects such as Stable Diffusion, but in the search for a free application that produces quality results, users might try new apps that could compromise their privacy, user experience, wallet and/or security.

The McAfee Mobile Research Team recently discovered a series of repackaged image editors on the Google Play app store which presented concerning behaviors.  McAfee Mobile Security products help protect against such apps, including those classified as Android/FakeApp, Android/FaceStealer, Android/PUP.Repacked and Android/PUP.GenericAdware.

McAfee, a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem, reported the discovered apps to Google, which took prompt action and the apps are no longer available on Google Play.

We now discuss various types of privacy and/or security risks associated with the types of apps recently removed from the app store.

FaceStealer

“Pista – Cartoon Photo Effect” and “NewProfilePicture” are examples of apps that offered compelling visual results, however, each was based on the same image editor with basic filters and trojanized with Android/FaceStealer, which is a well-known malware capable of compromising a victim’s Facebook or Instagram account. The apps could capture user credentials during a Facebook login by embedding a javascript function loaded from a remote server (to evade detection) into a flutter webview activity that displays the Facebook login screen. 

“NewProfilePicture” and “Pista – Cartoon Photo Effect” are examples of FaceStealer malware that posed as a cartoon avatar creator.

The same image editor which was repackaged into the above two apps has also been repackaged alternatively with adware modules and distributed by other developers under other app names, such as “Cartoon Effect | Cartoon Photo”:  

Fleeceware

Fleeceware refers to mobile apps that use various tactics to enroll users into subscriptions with high fees, typically after a free trial period, and often with little or no value to the subscriber beyond cheaper or free alternatives. If the user does not take care to cancel their subscription, they continue to be charged even after deleting the app.

“Toonify Me”, which is no longer available on the Play Store, cost $49.99 per week after 3 days – almost $2,600 per year – for what featured AI-generated illustrations in the app description, but was another repackaged version of the same image editor functionality found within “NewProfilePicture” and “Pista – Cartoon Photo Effect”. 

In this case, the “Toonify Me” app did not allow feature access without enrolling in the subscription, and the “CONTINUE” button which initiated the subscription was the only option to tap in the app once it was launched.

Adware

Promoted by ads that described it as capable of transforming pictures into artistic drawings, the “Fun Coloring – Paint by Number” app is an example of a repackaged version of a different, legitimate pixel painting app.  It lacked the advertised AI effects and was plagued with adware-like behavior.  

Consistent with many reviews complaining about unexpected ads out of the context of the app, once installed, the app started a service that communicated in the background with Facebook Graph API every 5 seconds and might pull ads based on received commands after some time of execution. The app contained multiple injected SDK modules from AppsFlyer, Fyber, InMobi, IAB, Mintegral, PubNative and Smaato (none of which are in the original app, which was repackaged to include these), which would help monetize installations without regard for user experience. 

help monetize installations without regard for user experience.

Conclusion

When new types of apps become popular and new ones appear on the market to offer similar features, users should act with caution to avoid becoming victim to those wanting to exploit public interest.

When installing an app which causes you doubt, make sure you:

Read the pricing and other terms carefully,
Check that permissions requested are reasonable with the purpose of the app,
Look for consistently bad reviews describing unexpected or unwanted app behavior,
Verify if the developer has other apps available and their reviews, and
Consider skipping the app download if you aren’t convinced of its safety.

Even if an app is legitimate, we also encourage users to look closely before installation at any available privacy policy to understand how personal data will be treated.  Your face is a biometric identifier that’s not easy to change, and multiple pictures might be needed (and stored) to create your model.

Artificial intelligence tools will continue to amaze us with their capabilities and probably will become more accessible and safer to use over time.  For now, keep in mind that AI technology is still limited and experimental, and can be expensive to use – always consider any hidden costs.  AI also will bring more challenges as we discussed on the 2023 McAfee Threat Prediction blog.

IDENTIFIED APPS

The following table lists the application package name, hash sum SHA256, minimum number of installations on Google Play and the type of detected threat. These apps were removed from Google Play, but some may remain available elsewhere.

Package Name
SHA256
I
Type

com.ayogamez.sketchcartoon
9cb1d996643fbec26bb9878939735221dfbf639075ceea3abdb94e0982c494c1
5M
Adware

com.rocketboosterapps.toonifyme
3f45a38b103e1812146df8ce179182f54c4a0191e19560fcbd77240cbc39886b
10K
Fleeceware

com.nhatanhstudio.cartoon.photoeffect
2c7f4fc403d1449b70218624d8a409497bf4694493c7f4c06cd8ccecff21799a
5K
Repackaged Adware

com.cambe.PhotoCartoon
5327f415d0e9b21523f64403ec231e1fd0279c48b41f023160cd1d70dd733dbf
10K
Repackaged Adware

com.chiroh.cartoon.prismaeffect
18fef9f92639e31dd6566854feb30e1e4333b971b05ae9aba93ac0aa395c955b
1K
Repackaged Adware

cartoon.photo.effect.editor.cartoon.maker.online.caricature.appanime.convert.photo.intocartoon
3b941b7005572760b95239d73b8a8bbfdb81d26d405941171328daa8f3c01183
50
Repackaged Adware

com.waxwell.saunders.pistaphotoeditor
489d4aaec3bc694ddd124ab8b4f0b7621a51aad13598fd39cd5c3d2067b950e5
50
FaceStealer

com.ashtoon.tooncool.skordoi
980c090c01bef890ef74bd93e181d67a5c6cd1b091573eaaf2e1988756aacd50
100K
FaceStealer

com.faceart.savetoon.cartoonedit
55ffc2e392280e8967de0857b02946094268588209963c6146dad01ae537daca
100
FaceStealer

com.okenyo.creatkartoon.studio
e696d7304e5f56d7125dd54c853ff35a394a4175fcaf7785d332404e161d6deb
500K
FaceStealer

com.onlansuyanto.editor.bading
59f9630c2ebe4896f585ec7722c43bb54c926e3e915dcfa4ff807bea444dc07b
10K
FaceStealer

com.madtoon.aicartoon.kiroah
c29adfade300dde5e9c31b23d35a6792ed4a7ad8394d37b69b5cecc931a7ad9f
100K
FaceStealer

com.acetoon.studio.facephoto
24cf7fcaefe98bc9db34f551d11906d3f1349a5b60adf5fa37f15a872b61ee95
100K
FaceStealer

com.funcolornext.beautyfungoodcolor
b2cfa8b2eccecdcb06293512df0db463850704383f920e5782ee6c5347edc6f5
100K
Repackaged
Adware

 

 

 

 

 

 

 

The post The Rise and Risks of AI Art Apps appeared first on McAfee Blog.

Read More

What are prisoners getting up to with mobile phones? Why might ransomware no longer be generating as much revenue for cybercriminals? And how on earth did an airline leave the US government’s “No Fly” list accessible for anyone in the world to download?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Read More

On Dec. 23, 2022, KrebsOnSecurity alerted big-three consumer credit reporting bureau Experian that identity thieves had worked out how to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, but remained silent about the incident for a month. This week, however, Experian acknowledged that the security failure persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.

The tip about the Experian weakness came from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to cybercrime.

Normally, Experian’s website will ask a series of multiple-choice questions about one’s financial history, as a way of validating the identity of the person requesting the credit report. But Kushnir said the crooks learned they could bypass those questions and trick Experian into giving them access to anyone’s credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian’s identity verification process.

When I tested Kushnir’s instructions on my own identity at Experian, I found I was able to see my report even though Experian’s website told me it didn’t have enough information to validate my identity. A security researcher friend who tested it at Experian found she also could bypass Experian’s four or five multiple-choice security questions and go straight to her full credit report at Experian.

Experian acknowledged receipt of my Dec. 23 report four days later on Dec. 27, a day after Kushnir’s method stopped working on Experian’s website (the exploit worked as long as you came to Experian’s website via annualcreditreport.com — the site mandated to provide a free copy of your credit report from each of the major bureaus once a year).

Experian never did respond to official requests for comment on that story. But earlier this week, I received an otherwise unhelpful letter via snail mail from Experian (see image above), which stated that the weakness we reported persisted between Nov. 9, 2022 and Dec. 26, 2022.

“During this time period, we experienced an isolated technical issue where a security feature may not have functioned,” Experian explained.

It’s not entirely clear whether Experian sent me this paper notice because they legally had to, or if they felt I deserved a response in writing and thought maybe they’d kill two birds with one stone. But it’s pretty crazy that it took them a full month to notify me about the potential impact of a security failure that I notified them about.

It’s also a little nuts that Experian didn’t simply include a copy of my current credit report along with this letter, which is confusingly worded and reads like they suspect someone other than me may have been granted access to my credit report without any kind of screening or authorization.

After all, if I hadn’t authorized the request for my credit file that apparently prompted this letter (I had), that would mean the thieves already had my report. Shouldn’t I be granted the same visibility into my own credit file as them?

Instead, their woefully inadequate letter once again puts the onus on me to wait endlessly on hold for an Experian representative over the phone, or sign up for a free year’s worth of Experian monitoring my credit report.

As it stands, using Kushnir’s exploit was the only time I’ve ever been able to get Experian’s website to cough up a copy of my credit report. To make matters worse, a majority of the information in that credit report is not mine. So I’ve got that to look forward to.

If there is a silver lining here, I suppose that if I were Experian, I probably wouldn’t want to show Brian Krebs his credit file either. Because it’s clear this company has no idea who I really am. And in a weird, kind of sad way I guess, that makes me happy.

For thoughts on what you can do to minimize your victimization by and overall worth to the credit bureaus, see this section of the most recent Experian story.

Read More

For years attackers have used Office documents with malicious macros as one of the primary methods of infecting computers with malware. Microsoft finally took steps to disable such scripts by default in documents downloaded from the internet, forcing many groups to change tactics and increasingly choose LNK (shortcut) files as a delivery mechanism.

This trend has led to the creation of paid tools and services dedicated to building malicious LNK files. Some of these builders include MLNK Builder, Quantum Builder, Macropack, LNKUp, Lnk2pwn, SharPersist, and RustLnkBuilder, but their use can provide opportunities for easier detection by security products.

To read this article in full, please click here

Read More