Cybersecurity threats are evolving at an unprecedented pace, leaving organizations vulnerable to large-scale attacks. Security breaches and data…

Cybersecurity threats are evolving at an unprecedented pace, leaving organizations vulnerable to large-scale attacks. **Security breaches** and data leaks can have severe financial and reputational consequences. To tackle these risks, businesses must adopt a proactive approach to security that doesn’t just react to threats but actively anticipates and mitigates them. 

This is where **pentesting services** come into play. Unlike automated vulnerability scans, penetration testing involves simulating real-world attacks to uncover security gaps before malicious actors can exploit them. Organizations across industries rely on pentesting to strengthen their defenses, meet compliance requirements, and validate security controls against evolving threats.

This article explores the most relevant penetration testing services, their role in cybersecurity, and how businesses can leverage them to enhance security resilience. From network and application testing to red teaming and cloud security assessments, understanding these services is essential for organizations looking to stay ahead of cyber threats.

****The Role of Penetration Testing in Cybersecurity****

Penetration testing (**pentesting**) is a controlled security assessment that mimics real-world cyberattacks to identify and address vulnerabilities before attackers can exploit them. Unlike traditional security measures that rely on firewalls, antivirus software, and automated scanners, pentesting provides a hands-on evaluation of an organization’s security posture. It helps detect misconfigurations, weak authentication mechanisms, and exploitable flaws that may go unnoticed in routine security checks.

The primary goal of penetration testing is to reduce the attack surface by uncovering security gaps across networks, applications, APIs, and cloud environments. This proactive approach not only strengthens defenses but also ensures compliance with security standards like **PCI DSS, ISO 27001**, and **HIPAA**. Organizations that integrate regular pentesting into their security strategy are better equipped to handle emerging threats and minimize the risk of costly breaches.

However, a common misconception is that penetration testing is just an advanced form of vulnerability scanning. While automated scanners can detect known issues, they cannot analyze complex attack chains, logic flaws, and business logic vulnerabilities. Skilled penetration testers use a combination of manual techniques, custom exploits, and real-world attack scenarios to simulate how an adversary would attempt to compromise a system. This makes penetration testing an essential component of a robust security program.

****Key Types of Penetration Testing Services****

Not all security risks are the same, and different environments require specialized testing approaches. Below are the most relevant penetration testing services, each addressing specific attack surfaces and security concerns.

****Network Penetration Testing****

A core component of security assessments, network penetration testing focuses on identifying vulnerabilities in both external and internal network infrastructure. This involves testing firewalls, routers, VPNs, and other network devices for misconfigurations, outdated protocols, and weak authentication mechanisms.

Common threats mitigated by network pentesting include:

*   Open ports and exposed services provide an entry point for attackers.

*   Weak encryption can be exploited for data interception and manipulation.

*   Misconfigured access controls that allow unauthorized access to sensitive systems.

Network penetration testing is particularly relevant for enterprises, cloud service providers, and organizations handling sensitive data across distributed networks.

****Web Application Penetration Testing****

Web applications are prime targets for cyberattacks due to their accessibility and integration with critical business operations. This form of pentesting evaluates applications against vulnerabilities outlined in the OWASP Top 10, such as:

*   **SQL Injection (SQLi):** Exploiting database queries to extract sensitive data.

*   **Cross-Site Scripting (XSS):** Injecting malicious scripts to hijack user sessions.

*   **Broken Authentication:** Weak login mechanisms that allow unauthorized access.

SaaS providers, fintech companies, and e-commerce platforms rely on web application pentesting to secure customer transactions, APIs, and user authentication mechanisms.

**Mobile Application Penetration Testing**

With mobile apps handling sensitive financial, healthcare, and personal data, securing them is critical. Mobile application penetration testing assesses both iOS and Android apps for risks such as:

*   **Insecure data storage** that exposes sensitive user information.

*   **Weak API security,** leading to unauthorized access or data leaks.

*   **Reverse engineering risks** where attackers decompile apps to extract secrets.

Pentesters analyze app permissions, encryption mechanisms, and backend API security to ensure mobile applications comply with industry best practices and regulatory standards.

****Cloud Penetration Testing****

Cloud security introduces unique challenges, including misconfigured storage services, excessive permissions, and insecure **API endpoints**. Cloud penetration testing assesses environments like AWS, Azure, and Google Cloud for:

*   **Publicly exposed assets** such as S3 buckets or storage blobs.

*   **Identity and Access Management (IAM) misconfigurations** leading to privilege escalation.

*   **Insecure APIs and serverless functions** that could be exploited.

Given the widespread adoption of cloud services, cloud pentesting is critical for organizations leveraging SaaS platforms, multi-cloud environments, and **DevOps workflows**.

**API Penetration Testing**

APIs serve as the backbone of modern applications, yet they are often overlooked in security assessments. API penetration testing targets vulnerabilities like:

*   **Broken authentication and authorization** that allow unauthorized access to critical services.

*   **Rate limiting bypasses** enabling brute-force attacks or data scraping.

*   **Data exposure** due to improper input validation and misconfigured responses.

API pentesting is especially relevant for fintech, healthcare, and logistics platforms that rely on secure data exchange.

**IoT Penetration Testing**

The increasing adoption of IoT devices introduces significant security risks, from industrial control systems to smart home devices. IoT penetration testing identifies weaknesses such as:

*   **Default credentials** that attackers exploit to gain control.

*   **Lack of encryption,** exposing communication channels to interception.

*   **Unpatched firmware vulnerabilities,** leaving devices open to exploitation.

Industries like healthcare, automotive, and industrial automation require IoT pentesting to safeguard connected devices and prevent large-scale cyber incidents.

**Red Team Assessments**

Unlike traditional pentesting, **red team** assessments simulate full-scale attacks to test an organization’s detection and response capabilities. These engagements go beyond vulnerability discovery to mimic advanced persistent threats (APTs) and real-world adversary tactics.

Key attack vectors in red team assessments include:

*   **Physical security bypass,** such as tailgating into restricted areas.

*   **Social engineering** to manipulate employees into disclosing credentials.

*   **Persistence mechanisms** to maintain undetected access over extended periods.

Red teaming is essential for large enterprises, government agencies, and critical infrastructure operators looking to validate their security resilience against sophisticated attacks.

****Choosing the Right Penetration Testing Service****

Selecting the right penetration testing service depends on business impact, regulatory requirements, and infrastructure. Security assessments must be tailored to provide actionable insights rather than generic findings.

****Key Considerations****

*   **Business Impact:** Identifying critical assets that require testing, such as customer data or financial transactions.

*   **Regulatory Compliance:** Industries like finance and healthcare must meet PCI DSS, ISO 27001, HIPAA, and SOC 2 standards.

*   **Infrastructure Type:** Cloud-native environments require different security tests than on-premises systems or API-heavy platforms.

*   **Security Maturity:** Organizations with mature security defenses may benefit from red team assessments, while those with fewer controls should start with network and application pentesting.

****Compliance vs. Risk-Driven Testing****

*   **Compliance-driven:** Focuses on meeting security mandates but may have a limited scope.

*   **Risk-driven:** Simulates real-world attack scenarios beyond compliance checklists.

****The Need for Recurring Assessments****

Cyber threats evolve, making regular pentesting (quarterly or annually) essential. Organizations integrating security into **DevSecOps detect vulnerabilities** early, reducing risks proactively rather than reactively.

****Conclusion****

Penetration testing is essential for identifying vulnerabilities before attackers exploit them. Unlike automated scans, pentesting services simulate real-world threats, strengthening defenses and ensuring compliance.

Choosing the right service, whether network, application, cloud, or red teaming, depends on risk exposure and industry standards. Security isn’t a one-time effort; regular testing and DevSecOps integration help organizations stay alert against increasing cybersecurity threats.

Penetration Testing Services: Strengthening Cybersecurity Against Evolving Threats

The Trump cabinet’s shocking leak of its plans to bomb Yemen raises myriad confidentiality and legal issues. The security of the encrypted messaging app Signal is not one of them.

The eye-popping scandal surrounding the Trump cabinet’s accidental invitation to The Atlantic’s editor in chief to join a text-message group secretly planning a bombing in Yemen has rolled into its third day, and that controversy now has a name: SignalGate, a reference to the fact that the conversation took place on the end-to-end encrypted free messaging tool Signal.

As that name becomes a shorthand for the biggest public blunder of the second Trump administration to date, however, security and privacy experts who have promoted Signal as the best encrypted messaging tool available to the public want to be clear about one thing: SignalGate is not about Signal.

Since The Atlantic’s editor, Jeffrey Goldberg, revealed Monday that he was mistakenly included in a Signal group chat earlier this month created to plan US airstrikes against the Houthi rebels in Yemen, the reaction from the Trump cabinet’s critics and even the administration itself has in some cases seemed to cast blame on Signal for the security breach. Some commentators have pointed to reports last month of Signal-targeted phishing by Russian spies. National security adviser Michael Waltz, who reportedly invited Goldberg to the Signal group chat, has even suggested that Goldberg may have hacked into it.

On Wednesday afternoon, even President Donald Trump suggested Signal was somehow responsible for the group chat fiasco. “I don't know that Signal works,” Trump told reporters at the White House. “I think Signal could be defective, to be honest with you.”

The real lesson is much simpler, says Kenn White, a security and cryptography researcher who has conducted audits on widely used encryption tools in the past as the director of the Open Crypto Audit Project: Don’t invite untrusted contacts into your Signal group chat. And if you’re a government official working with highly sensitive or classified information, use the encrypted communication tools that run on restricted, often air-gapped devices intended for a top-secret setting rather than the unauthorized devices that can run publicly available apps like Signal.

“Unequivocally, no blame in this falls on Signal,” says White. “Signal is a communication tool designed for confidential conversations. If someone's brought into a conversation who’s not meant to be part of it, that's not a technology problem. That's an operator issue.”

Cryptographer Matt Green, a professor of computer science at Johns Hopkins University, puts it more simply. “Signal is a tool. If you misuse a tool, bad things are going to happen,” says Green. “If you hit yourself in the face with a hammer, it’s not the hammer’s fault. It’s really on you to make sure you know who you’re talking to.”

The only sense in which SignalGate _is_ a Signal-related scandal, White adds, is that the use of Signal suggests that the cabinet-level officials involved in the Houthi bombing plans, including secretary of defense Pete Hegseth and director of national intelligence Tulsi Gabbard, were conducting the conversation on internet-connected devices—possibly even including personal ones—since Signal wouldn’t typically be allowed on the official, highly restricted machines intended for such conversations. “In past administrations, at least, that would be absolutely forbidden, especially for classified communications,” says White.

Indeed, using Signal on internet-connected commercial devices doesn’t just leave communications open to anyone who can somehow exploit a hackable vulnerability in Signal, but anyone who can hack the iOS, Android, Windows, or Mac devices that might be running the Signal mobile or desktop apps.

This is why US agencies in general, and the Department of Defense in particular, conduct business on specially managed federal devices that are specially provisioned to control what software is installed and which features are available. Whether the cabinet members had conducted the discussion on Signal or another consumer platform, the core issue was communicating about incredibly high-stakes, secret military operations using inappropriate devices or software.

One of the most straightforward reasons that communication apps like Signal and WhatsApp are not suitable for classified government work is that they offer “disappearing message” features—mechanisms to automatically delete messages after a preset amount of time—that are incompatible with federal record retention laws. This issue was on full display in the principals’ chat about the impending strike on Yemen, which was originally set for one-week auto-delete before the Michael Waltz account changed the timer to four-week auto-delete, according to screenshots of the chat published by The Atlantic on Wednesday. Had The Atlantic’s Goldberg not been mistakenly included in the chat, its contents might not have been preserved in accordance with long-standing government requirements.

In congressional testimony on Wednesday, US director of national intelligence Tulsi Gabbard said that Signal can come preinstalled on government devices. Multiple sources tell WIRED that this is not the norm, though, and noted specifically that downloading consumer apps like Signal to Defense Department devices is highly restricted and often banned. The fact that Hegseth, the defense secretary, participated in the chat indicates that he either obtained an extremely unusual waiver to install Signal on a department device, bypassed the standard process for seeking such a waiver, or was using a non-DOD device for the chat. According to political consultant and podcaster FP Wellman, DOD “political appointees” demanded that Signal be installed on their government devices last month.

Core to the Trump administration’s defense of the behavior is the claim that no classified material was discussed in the Signal chat. In particular, Gabbard and others have noted that Hegseth himself is the classification authority for the information. Multiple sources tell WIRED, though, that this authority does not make a consumer application the right forum for such a discussion.

“The way this was being communicated, the conversation had no formal designation like 'for official use only' or something. But whether it should have been classified or not, whatever it was, it was obviously sensitive operational information that no soldier or officer would be expected to release to the public—but they had added a member of the media into the chat,” says Andy Jabbour, a US Army veteran and founder of the domestic security risk-management firm Gate 15.

Jabbour adds that military personnel undergo annual information awareness and security training to reinforce operating procedures for handling all levels of nonpublic information. Multiple sources emphasize to WIRED that while the information in the Yemen strike chat appears to meet the standard for classification, even nonclassified material can be extremely sensitive and is typically carefully protected.

“Putting aside for a moment that classified information should never be discussed over an unclassified system, it’s also just mind-boggling to me that all of these senior folks who were on this line and nobody bothered to even check, security hygiene 101, who are all the names? Who are they?” US senator Mark Warner, a Virginia Democrat, said during Tuesday’s Senate Intelligence Committee hearing.

According to The Atlantic, 12 Trump administration officials were in the Signal group chat, including vice president JD Vance, secretary of state Marco Rubio, and Trump adviser Susie Wiles. Jabbour adds that even with ​​decisionmaking authorities present and participating in a communication, establishing an information designation or declassifying information happens through an established, proactive process. As he puts it, “If you spill milk on the floor, you can’t just say, ‘That’s actually not spilled milk, because I intended to spill it.’”

All of which is to say, SignalGate raises plenty of security, privacy, and legal issues. But the security of Signal itself is not one of them. Despite that, in the wake of The Atlantic’s story on Monday, some have sought tenuous connections between the Trump cabinet’s security breach and Signal vulnerabilities. On Tuesday, for example, a Pentagon adviser echoed a report from Google’s security researchers, who alerted Signal earlier this year to a phishing technique that Russian military intelligence used to target the app’s users in Ukraine. But Signal pushed out an update to make that tactic—which tricks users into adding a hacker as a secondary device on their account—far harder to pull off, and the same tactic also targeted some accounts on the messaging services WhatsApp and Telegram.

“Phishing attacks against people using popular applications and websites are a fact of life on the internet,” Signal spokesperson Jun Harada tells WIRED. “Once we learned that Signal users were being targeted, and how they were being targeted, we introduced additional safeguards and in-app warnings to help protect people from falling victim to phishing attacks. This work was completed months ago."

In fact, says White, the cryptography researcher, if the Trump administration is going to put secret communications at risk by discussing war plans on unapproved commercial devices and freely available messaging apps, they could have done much worse than to choose Signal for those conversations, given its reputation and track record among security experts.

“Signal is the consensus recommendation for highly at-risk communities—human rights activists, attorneys, and confidential sources for journalists,” says White. Just not, as this week has made clear, executive branch officials planning airstrikes.

_Updated at 5:50 pm ET, March 25, 2025: Added remarks about Signal by President Trump._

SignalGate Isn’t About Signal

McAfee Labs reveals new Android malware exploiting .NET MAUI to steal user data. Learn about advanced evasion techniques and how to stay protected.

McAfee Labs has revealed that cybercriminals are exploiting Microsoft’s newly introduced .NET MAUI app development tool to spread Android malware with cross-platform capabilities.

The McAfee Mobile Research Team discovered that this development framework, meant to replace Xamarin and expand beyond mobile platforms, is now being abused to disguise malicious code within seemingly legitimate applications, and primary targets are Android users.

Unlike traditional Android malware, which relies on DEX files or native libraries, these threats store their core functionalities as blob binaries within assemblies. This method effectively bypasses many antivirus solutions that primarily focus on analysing conventional Android app components.

The second example, a fake social networking application, targeted Chinese-speaking users, attempting to steal contacts, SMS messages, and photos. This malware employed multi-stage dynamic loading, which entails encrypting and loading DEX files in three separate stages to obscure its malicious payload.

Fake app’s screen and the fake X app (Source: McAfee Labs)

Additionally, the malware manipulated the AndroidManifest.xml file by adding an excessive number of meaningless permissions, disrupting analysis tools. It also utilized encrypted TCP socket communication to evade network traffic interception.

McAfee Labs also observed that the threat actors diversified their themes, distributing fake dating apps with similar structures and functionalities, indicating a widespread campaign.

“These apps had different background images but shared the same structure and functionality, indicating that they were likely created by the same developer as the fake X app,” researchers noted in their report.

The rise of .NET MAUI-based malware and the adoption of new evasion techniques, including hiding code blobs within assemblies, multi-stage dynamic loading, and encrypted communication, shows a concerning trend that needs immediate addressing by the cybersecurity community.

To stay safe, please exercise caution when downloading applications from unofficial sources, particularly in regions with limited access to official app stores, such as China. “Staying vigilant and ensuring that security measures are in place can help protect against emerging threats,” McAfee researchers concluded.

Featured/Top Image by iXimus from Pixabay

Hackers Are Using Microsoft’s .NET MAUI to Spread Android Malware

Google has admitted it accidentally deleted some Maps Timeline user data after what it calls a "technical issue".

Google has admitted it accidentally deleted some users’ Google Maps Timeline data after a “technical issue”.

As reported by Forbes on March 11, users started noticing that their Google Maps Timelines had completely disappeared. At the time, we didn’t know anything about the cause of this issue.

However, now we do, after some of the impacted users received a email from Google on March 21. Not with an apology, mind you, but with an explanation.

Google wrote that it had:

> “Briefly experienced a technical issue that caused the deletion of Timeline data for some people. If you have encrypted backups enabled, you may be able to restore your data.”

If you’re among those affected and you did have backups enabled, here’s how you can attempt to restore your data:

*   Make sure you have the latest version of the Google Maps app installed on your device.
*   Open Google Maps, tap on your profile picture in the top right corner, and select **Your Timeline**.
*   Look for a cloud icon at the top of the Timeline screen and tap it. Choose a backup to import your data.

This doesn’t seem to work for everyone though, with some users commenting that this method didn’t work for them.

If you didn’t have backups enabled, it might not be possible to recover your lost Timeline data.

**Planned deletion**

For those interested in keeping their Timeline, bear in mind that if you don’t take action soon, your visits and routes might be erased, and your Timeline settings disabled. Earlier this month, Google announced that it will begin deleting the last three months of Timeline data unless you take action to back it up, as part of a roll out of significant changes to Maps Timeline.

After you receive the notification from Google, you have about six months to save or transfer your Timeline data before deletion takes place. The sender of the email is “Google Location History,” with the subject line: “Keep your Timeline? Decide by \[date\].”

When you get the prompt, follow the instructions on how to adjust your settings on your device. If you don’t, your visits and routes will be erased, and your Timeline settings will be disabled.

**How to back up your Google Maps Timeline data**

Here’s how back up your Timeline data to prevent any future losses, and help preserve your data during the planned deletion:

*   Open the Google Maps app.
*   Tap your profile picture, then **Your Timeline**.
*   At the top right, tap the cloud icon.
*   If auto-delete is turned on, turn it off.
*   On the Backup screen, turn on **Backup**.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Oops! Google accidentally deletes some users&#8217; Maps Timeline data 

Cybersecurity researchers are calling attention to an Android malware campaign that leverages Microsoft's .NET Multi-platform App UI (.NET MAUI) framework to create bogus banking and social media apps targeting Indian and Chinese-speaking users.
"These threats disguise themselves as legitimate apps, targeting users to steal sensitive information," McAfee Labs researcher Dexter Shin said.
.NET

Hackers Use .NET MAUI to Target Indian and Chinese Users with Fake Banking, Social Apps

Crossing into the United States has become increasingly dangerous for digital privacy. Here are a few steps you can take to minimize the risk of Customs and Border Protection accessing your data.

If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED

When Ryan Lackey has traveled to countries like Russia or China, he has taken certain precautions: Instead of his usual gear, the Seattle-based security researcher and chief security officer of a cryptocurrency insurance firm brings a locked-down Chromebook and an iPhone that's set up to sync with a separate, nonsensitive Apple account. He wipes both before every trip and loads only the minimum data he'll need. Lackey has gone so far as to keep separate travel sets for each country, so that he can forensically analyze the devices when he gets home to check for signs of each country's tampering.

Now, Lackey says, the countries that warrant that paranoid approach to travel might include not just Russia and China but also the United States—if not for Americans like him, then for anyone with a foreign passport who might come under the increasingly draconian and unpredictable scrutiny of US Customs and Border Protection (CBP). "All of this applies to America more than it has in the past," says Lackey. "If I thought I were likely to be a targeted person, I would go through this same level of protection."

Since the start of the second Trump administration, there appears to be an uptick in foreign visitors to the US being denied entry, resulting in people being sent back to their original destinations or being held in detention. Citizens from Germany, the UK, and France have all reported being detained, in some cases for weeks, or denied entry when attempting to enter the US—including several individuals who say they are legal residents with Green Cards. France’s education minister said one French scientist was denied entry after immigration officials searched his phone and found conversations where “he expressed a personal opinion on the Trump administration’s research policy.” The stricter enforcement of visa and travel permit regulations has led to officials in Germany and Britain to change their travel guidance, with Britain warning that rules are enforced “strictly.”

That de facto border crackdown is set to become far more explicit if the Trump administration follows through on a plan to enact a new “travel ban” on more than 40 countries, which would reportedly bar entry entirely from at least 10 nations and subject visitors from another five to new scrutiny and automatic interviews at the border. Another 26 countries would fall into a third category where their status will be decided in the 60 days after the policy goes into effect.

All of these changes suggest that US borders are about to become far less friendly places to foreigners and even to Americans returning from abroad. And these new border enforcement measures will no doubt be accompanied by aggressive attempts at surveillance extending to travellers’ electronic devices—a threat to digital privacy and free expression that extends to foreigners and US residents alike.

“We’re seeing extraordinarily disturbing examples of retaliatory action based on people's speech and political opinions,” says Nathan Wessler, the deputy director of the American Civil Liberties Union’s Speech, Privacy, and Technology Project. “When that’s combined with really sweeping authority to mine the contents of our phones and laptops, looking at things we've written, things people have sent us, it should be a particular cause for concern for people across the political spectrum—and people with all kinds of citizenship and immigration statuses.”

In fact, Customs and Border Protection has long considered US borders and airports a kind of loophole in the US Constitution's Fourth Amendment protections, one that allows them wide latitude to detain travelers and search their devices. For years, the agency has used that opportunity to hold border-crossers on the slightest suspicion and demand access to their computers and phones, with little formal cause or oversight.

Citizens are far from immune. CBP detainees from journalists to filmmakers to security researchers have all had their devices taken out of their hands by agents.

As those intrusions become more common and aggressive in the second Trump era, WIRED has assembled the following advice from legal and security experts to help preserve your digital privacy while crossing American borders. But take all of these strategies with caution: Given CBP’s unpredictable—and in many areas undocumented—practices, none of the experts WIRED spoke to claimed to have a privacy panacea for the American border.

_This article was first published in February 2017 and updated in March 2025 to reflect changes in technology and the second Trump administration. WIRED’s guide to protecting yourself against government surveillance includes more security and privacy advice._

**Phone Home**

First, if you have any reason to think you could be detained or questioned at the border, alert a lawyer or a loved one who can contact a lawyer _before_ going through customs, and contact them again when you get out. If you are detained, you may not be able to access your devices or otherwise have the opportunity to reach the outside world. And in the worst-case scenario of a lengthy detention, you'll want someone advocating for your release and legal representation.

**Lock Down Devices**

If customs officials do take your devices, don't make their intrusion easy. Encrypt your hard drive with tools like BitLocker, Veracrypt, or Apple's Filevault, and choose a strong passphrase. On your phone, set a strong PIN. Using hard-to-crack alphanumeric code to unlock your phone rather than a four digit PIN or biometrics is the strongest approach to securing the device. On an iPhone, disable Siri from the lock screen by switching off **Allow Siri When Locked** under the **Siri men**u in **Settings**.

Remember also to turn your devices off before entering customs: Hard-drive encryption tools offer full protection only when a computer is fully powered down. If you use FaceID, your iPhone is safest when it's turned off, too, since it requires a PIN rather than a face scan when first booted, resolving any ambiguity about whether border officials can compel you to unlock the device with your biometrics.

In recent years, Apple and Google have made it possible to separate sensitive apps from being shown with others on your phone—placing them in a separate folder from other apps and protecting them with another layer of authentication. Android’s Private Spaces can be turned on in the Security and privacy settings menu, while long pressing an app on iOS will bring up the option to place it in a hidden folder.

Finally, Wessler recommends that travelers be sure to update their operating systems on both laptops and phones before crossing the border. That’s because CBP could, in some cases, use tools like Cellebrite or GrayKey to exploit unpatched vulnerabilities in those devices, accessing them without the user unlocking them. “It may be that if your operating system is six months out of date, your device is vulnerable,” Wessler says. “The newest version may not be.”

**Keep Passwords Secret**

This is the tricky part. American citizens can't be deported for refusing to give up passwords for social media accounts or encrypted devices, says the ACLU's Wessler. That means if you stand your ground and don't reveal passwords or PINs, you may be detained and your devices confiscated—even sent off to a forensic facility—but you'll eventually get through with your privacy far more intact than if you divulge secrets. "They can seize your device, even for months while they try to break into it," says Wessler. "But you’re going to get home." (Despite the Trump administration’s shocking treatment in some cases of foreign permanent residents, this protection applies to green card holders too, Wessler says.)

Be warned, however, that denying customs officials access can at the very least lead to hours of uncertain detention in a bleak, windowless CBP office. At some US airports and in various states, court rulings have put limitations and restrictions on what CBP officials can do to access your devices, but there’s little guarantee those restrictions will be followed in practice if border agents have your computer or phone in their custody without oversight.

Broadly, the CBP outlines two types of device searches: basic, where an officer “manually” reviews a device’s content; and an advanced search where a device is connected to external equipment and its contents can be reviewed, copied, or analyzed. The latter search requires a “reasonable suspicion” of a crime, CBP says. The agency’s official guidance avoids explicitly saying people are required to hand over passwords, skirting around the issue by saying devices should be presented “in a condition that allows for the examination.”

“If the electronic device cannot be inspected because it is protected by a passcode or encryption or other security mechanism, that device may be subject to exclusion, detention, or other appropriate action or disposition,” the agency says online.

For non-Americans coming to the US on a visa or from a visa-waiver country, Wessler warns that they face a far starker dilemma: Refuse to give up a passcode or PIN and you may be denied entry. “There’s a very practical assessment people have to make about what's most important to them,” he says. “Getting into the country but sacrificing privacy or protecting your privacy—but risking that you may be turned around at the border.”

**Minimize the Data You Carry**

For the most vulnerable travelers, there’s one clear solution to that dilemma: The best way to keep customs away from your data is simply not to travel with it. Instead, like Lackey, set up travel devices that store the minimum of sensitive data. Don't link those "dirty" devices to your personal accounts, and when you do have to create a linked account—as with an Apple ID for iOS devices—create fresh ones with unique usernames and passwords. "If they ask for access and you can’t refuse, you want to be able to give them access without losing any sensitive information," says Lackey.

(Social media accounts, admittedly, can't be so easily ditched. Some security experts recommend creating secondary personas that can be offered up to customs officials while keeping a more sensitive account secret. But if CBP agents do link your identity with an account you tried to hide, the result could be longer detention and, for noncitizens, even denial of entry.)

If you can’t create a separate travel device, the Electronic Frontier Foundation also suggests logging out of apps and cloud services—such as Google Drive, or MicrosoftOne Drive—so that border agents can’t access documents or data you are storing remotely. Backing up data, such as photos or files, to the cloud services before you travel can help to remove data from the phone.

“The only sure way to protect yourself is to not carry information with you or to carry as little as possible,” says the ACLU’s Wessler. “As long as you have a device and there's stuff on it, that's potentially vulnerable to search.”

That vulnerability to search comes in part from the fact that privacy rights for digital devices at the border remains troublingly unsettled in US law, says UC Davis law professor Elizabeth Joh. While the Supreme Court decision in _Riley v. California_ in 2014 declared warrantless searches of devices at the time of arrest unconstitutional, no case has set such a precedent for the American border—much less for non-Americans seeking those same privacy rights.

Since 2014, several federal appeals courts have come to conflicting opinions about when it’s constitutional for customs and border agents to search electronic devices, but the Supreme Court has yet to weigh in. Until it does, the border zone will remain in a kind of legal limbo.

The government, after all, has the power to open bags crossing into its territory or even dismantle cars to search for contraband, Joh points out. "What does that mean in an age when people bring their digital devices across borders? The Supreme Court hasn’t spoken to that issue," Joh says. "The real problem here is there's still no good set of protections for a portal into your private life."

How to Enter the US With Your Digital Privacy Intact

A quiet tweak in a popular open-source tool opened the door to a supply chain breach—what started as a targeted attack quickly spiraled, exposing secrets across countless projects.
That wasn’t the only stealth move. A new all-in-one malware is silently stealing passwords, crypto, and control—while hiding in plain sight. And over 300 Android apps joined the chaos, running ad

⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More

Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams, and that the accused were relying on a custom Android app to relay tap-to-pay transactions from mobile devices located in China.

Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams, and that the accused were relying on a custom Android app to relay tap-to-pay transactions from mobile devices located in China.

Image: WLVT-8.

Authorities in Knoxville, Tennessee last week said they arrested 11 Chinese nationals accused of buying tens of thousands of dollars worth of gift cards at local retailers with mobile wallets created through online phishing scams. The Knox County Sheriff’s office said the arrests are considered the first in the nation for a new type of tap-to-pay fraud.

Responding to questions about what makes this scheme so remarkable, Knox County said that while it appears the fraudsters are simply buying gift cards, in fact they are using multiple transactions to purchase various gift cards and are plying their scam from state to state.

“These offenders have been traveling nationwide, using stolen credit card information to purchase gift cards and launder funds,” Knox County Chief Deputy **Bernie Lyon** wrote. “During Monday’s operation, we recovered gift cards valued at over $23,000, all bought with unsuspecting victims’ information.”

Asked for specifics about the mobile devices seized from the suspects, Lyon said “tap-to-pay fraud involves a group _utilizing Android phones to conduct Apple Pay transactions_ utilizing stolen or compromised credit/debit card information,” \[emphasis added\].

Lyon declined to offer additional specifics about the mechanics of the scam, citing an ongoing investigation.

**Ford Merrill** works in security research at SecAlliance, a CSIS Security Group company. Merrill said there aren’t many valid use cases for Android phones to transmit Apple Pay transactions. That is, he said, unless they are running a custom Android app that KrebsOnSecurity wrote about last month as a part of a deep dive into the sprawling operations of China-based phishing cartels that are breathing new life into the payment card fraud industry (a.k.a. “carding”).

How are these China-based phishing groups obtaining stolen payment card data and then loading it onto Google and Apple phones? It all starts with phishing.

If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the **U.S. Postal Service** to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.

These messages are being sent through sophisticated phishing kits sold by several cybercriminals based in mainland China. And they are not traditional SMS phishing or “**smishing**” messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the **Apple iMessage** service and through RCS, the functionally equivalent technology on **Google** phones.

People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution in response to a request by the fraudsters to link the phished card data to a mobile wallet.

If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control. These phones are then loaded with multiple stolen wallets (often between 5-10 per device) and sold in bulk to scammers on Telegram.

An image from the Telegram channel for a popular Chinese smishing kit vendor shows 10 mobile phones for sale, each loaded with 5-7 digital wallets from different financial institutions.

Merrill found that at least one of the Chinese phishing groups sells an Android app called “**Z-NFC**” that can relay a valid NFC transaction to anywhere in the world. The user simply waves their phone at a local payment terminal that accepts Apple or Google pay, and the app relays an NFC transaction over the Internet from a phone in China.

“I would be shocked if this wasn’t the NFC relay app,” Merrill said, concerning the arrested suspects in Tennessee.

Merrill said the Z-NFC software can work from anywhere in the world, and that one phishing gang offers the software for $500 a month.

“It can relay both NFC enabled tap-to-pay as well as any digital wallet,” Merrill said. “They even have 24-hour support.”

On March 16, the ABC affiliate in Sacramento (**ABC10**), Calif. aired a segment about two Chinese nationals who were arrested after using an app to run stolen credit cards at a local Target store. The news story quoted investigators saying the men were trying to buy gift cards using a mobile app that cycled through more than 80 stolen payment cards.

ABC10 reported that while most of those transactions were declined, the suspects still made off with $1,400 worth of gift cards. After their arrests, both men reportedly admitted that they were being paid $250 a day to conduct the fraudulent transactions.

Merrill said it’s not unusual for fraud groups to advertise this kind of work on social media networks, including TikTok.

A **CBS News** story on the Sacramento arrests said one of the suspects tried to use 42 separate bank cards, but that 32 were declined. Even so, the man still was reportedly able to spend $855 in the transactions.

Likewise, the suspect’s alleged accomplice tried 48 transactions on separate cards, finding success 11 times and spending $633, CBS reported.

“It’s interesting that so many of the cards were declined,” Merrill said. “One reason this might be is that banks are getting better at detecting this type of fraud. The other could be that the cards were already used and so they were already flagged for fraud even before these guys had a chance to use them. So there could be some element of just sending these guys out to stores to see if it works, and if not they’re on their own.”

Merrill’s investigation into the Telegram sales channels for these China-based phishing gangs shows their phishing sites are actively manned by fraudsters who sit in front of giant racks of Apple and Google phones that are used to send the spam and respond to replies in real time.

In other words, the phishing websites are powered by real human operators as long as new messages are being sent. Merrill said the criminals appear to send only a few dozen messages at a time, likely because completing the scam takes manual work by the human operators in China. After all, most one-time codes used for mobile wallet provisioning are generally only good for a few minutes before they expire.

For more on how these China-based mobile phishing groups operate, check out How Phished Data Turns Into Apple and Google Wallets.

The ashtray says: You’ve been phishing all night.

Arrests in Tap-to-Pay Scheme Powered by Phishing

Citizen Lab's investigation reveals sophisticated spyware attacks exploiting WhatsApp vulnerabilities, implicating Paragon Solutions. Learn how their research exposed these threats and the implications for digital privacy.

Cybersecurity researchers at the Citizen Lab at the University of Toronto have exposed the use of sophisticated spyware named **Graphite**, developed by the Israeli firm Paragon Solutions, to target high-profile individuals through WhatsApp.

Their **investigation** reveals that a previously unknown zero-day vulnerability in WhatsApp’s software allowed the spyware to be installed on devices through a zero-click exploit, allowing adversaries to gain unauthorized access to targeted phones.

For your information **zero-click exploits** mean that a device can be compromised without the user clicking a link, opening a file, or performing any other action.

Attack flow explained (Source: The Citizen Lab)

****Graphite Spyware Servers Worldwide****

Paragon Solutions, established in 2019 by figures including former Israeli Prime Minister Ehud Barak, claims to differentiate itself by adhering to ethical standards, unlike other spyware vendors like the **NSO Group**.

However, Citizen Lab’s researchers mapped out servers attributed to Graphite, and identified suspected deployments against journalists, human rights activists, and government critics across multiple countries. This includes:

*   Italy
*   Israel
*   Canada
*   Cyprus
*   Denmark
*   Australia
*   Singapore

WhatsApp’s parent company, Meta, has confirmed that approximately 90 users in 24 countries were targeted. However, since the researchers are based in Canada; a significant aspect of the investigation focused on a Canadian client, the Ontario Provincial Police (OPP). The analysis uncovered links between Paragon and the OPP, revealing a systematic use of spyware capabilities among Ontario-based police services.

The Italian connection proved to be a focal point of the investigation. Forensic analysis of Android devices belonging to individuals notified by WhatsApp, including journalist Francesco Cancellato and Mediterranea Saving Humans founders Luca Casarini and Dr. Giuseppe Caccia, revealed clear indications of Graphite spyware.

Researchers identified a unique Android forensic artifact, BIGPRETZEL, which confirmed the presence of Paragon’s spyware on these devices. The Italian government initially **denied** any involvement but later **acknowledged** having contracts with Paragon.

Furthermore, the investigation extended to an iPhone belonging to David Yambio, a close associate of the confirmed Paragon targets. Apple threat notifications received by Yambio, coupled with forensic analysis, revealed an attempted infection with novel spyware, subsequently patched by Apple in iOS 18.

In response to Citizen Lab’s findings, Meta, along with Apple and Google, collaborated to address the security vulnerability. WhatsApp implemented a server-side fix, eliminating the need for users to update their apps. Apple also released a patch for its iOS operating system to protect iPhone users.

WhatsApp subsequently **notified** the targeted users. “If we believe that your device has come under threat, we may notify you about it directly via a WhatsApp chat,” the notification read.

****WhatsApp Attacks Persist Despite NSO Group Lawsuit Win****

Hackread.com earlier **reported** that the infamous Israeli spyware company, NSO Group, was held legally liable for compromising hundreds of WhatsApp accounts. Court found NSO Group responsible for breaching WhatsApp’s terms of service and exploiting a vulnerability to install its powerful Pegasus spyware on at least 1,400 devices, targeting journalists, human rights activists, political dissidents, and government officials.

Interestingly, CyberScoop **reported** in November 2024 that NSO Group continued to develop new malware based on WhatsApp exploits, even after Meta filed a lawsuit against them and that when WhatsApp disabled the Eden exploit, NSO Group created the Erised vector to target users until May 2020.

Now, the Citizen Lab’s findings indicate that Israeli spyware firms are continually focusing on exploiting WhatsApp vulnerabilities for spyware deployment and aggressively using them against journalists and activists.  

These cases show the never-ending struggle between technology companies and malicious actors seeking to compromise user privacy and the critical need for continuous caution, stricter security measures, and legal accountability within the spyware industry to protect digital privacy and **human rights**.

Israeli Spyware Graphite Targeted WhatsApp with 0-Click Exploit

Experts are warning about the proliferating market for targeted spyware and espionage. Why should we be concerned?

Experts are again warning about the proliferating market for targeted spyware and espionage.

Before we dive into the world of targeted spyware, it’s worth looking at a few of the main players that are active in and against this industry.

**Paragon Solutions** is an Israeli company which sells high-end surveillance technology primarily to government clients, positioning its products as essential for combating crime and national security. The name of Paragon’s spyware is Graphite.

However, a lot of controversy arose when it faced allegations over the targeting of specific WhatsApp users, including journalists and civil society members, leading to a cease-and-desist notice from WhatsApp. Following these allegations, Paragon Solutions ended its contract with Italy after Italian citizens were found to have been targeted.

The **NSO group** creates the high-level spyware known as Pegasus, and has also been caught spying on WhatsApp users. The NSO Group justifies the use of Pegasus by saying it’s a beneficial tool for investigating and preventing terrorist attacks and maintaining the safety of the public.

On the opposite side of the fence, **CitizenLab** is an interdisciplinary laboratory based in Toronto, Canada. CitizenLab focuses on studying information controls that impact the openness and security of the internet and pose threats to human rights.

The work done by CitizenLab has led to greater understanding of the global digital surveillance landscape and its implications for human rights.

Often, we will see newly found vulnerabilities in iOS, WhatsApp and other software credited to CitizenLab or one of its associates. They often find these vulnerabilities by analyzing devices of individuals infected with high-level spyware.

In an interview with TheRecord, founder Ronald Deibert said CitizenLab routinely checks people’s phones for spyware. Over time, the researchers at CitizenLab have honed their forensic skills to the level that they can pinpoint the moment of infection for the device right down to the second.

In a recent article, CitizenLab explained in great detail how it cooperated with Meta on uncovering a WhatsApp zero-day vulnerability and how it traced it back to Paragon and the Italian government.

While most of us will, hopefully, never have to deal or worry about getting infected with high-level spyware, we may end up falling victim to the vulnerabilities that are used to infect targets.

Both Paragon and the NSO group have brought many zero-day vulnerabilities to light in browsers and other online applications by using them to compromise mobile devices.

Zero-day vulnerabilities are hard to come by and therefore expensive. But once they are used against victims, there is a good chance that at some point they will be discovered and patched.

But small-time criminals will pick them up and try to use them against people who haven’t had a chance or the time to update their device yet.

Which is why we, on this blog, and through Malwarebytes’ Trusted Advisor, always urge people to keep their devices up-to-date.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#android