H12-711 mission - HCNA-Security-CBSN(Constructing Basic Security Network) Updated: 2023

Huawei, Honor, and Vivo smartphones and tablets are displaying strange 'Security threat' alerts urging the deletion of the Google app, warning that it is detected as the 'TrojanSMS-PA' malware.

In what appears to be a false positive, these security alerts warn that "immediate uninstallation is advised," as the app is now considered high risk, as shown by the alert below from one of BleepingComputer's devices.

When users click on the 'View Details' option, the alert warns that the app was detected secretly sending SMS messages.

"This app was detected sending SMS privately, enticing users to pay with adult content, downloading/installing apps privately, or stealing private information, which may cause property damage and privacy leakage," reads the security alert details.

"We recommend uninstalling it immediately."

This issue has been reported by many users on the Google support forums (Vivo post), Reddit (Vivo thread), the Huawei forums, and various other Android communities.

BleepingComputer contacted Google to determine if a exact app update might have caused the sudden uptick in malware warnings, but a spokesperson said Google Play Protect is not triggering the alert.

"This security notification was not triggered by Google Play Protect and appears to be from a device that is not Play Protect certified and does not have access to officially download Google's core apps from Play. We recommend contacting the device manufacturer for further information. Google Play is the only app store where you can officially download Google's core apps for Android. All Google apps go through the same rigorous testing as all other apps on Google Play. These tests are designed to ensure that apps are safe, secure, and meet Google's quality standards." - Google spokesperson.

BleepingComputer has independently Tested that these alerts were shown on a Huawei device with Google's core apps pre-installed (released before the ban) and no side-loaded apps. 

Hence, Google's explanation does not accurately reflect the types of Android devices impacted by these alerts.

BleepingComputer confirmed that these alerts are being shown by the 'Huawei Optimizer' app on Huawei devices. However, it is unclear what apps are displaying the alerts for Vivo or Honor phones.

If you have not side-loaded the Google app on your Huawei, Vivo, or Honor phone, it should be safe to ignore the warning and keep it running.

Furthermore, while it is most likely these alerts are false positives, there has been no official comment from the device makers confirming this.

A proposed solution for disabling the "false alarm" is to go to Settings > Apps > Optimizer > App Info > Storage > Clear Cache / Clear Data and then reboot your device.

If that doesn't work, try to uninstall and reinstall the Huawei Optimizer app.

This action should refresh its outdated signature database, eliminating the incorrect false positive warnings.

BleepingComputer also contacted Huawei and Vivo for a comment, but we have yet to receive a response from the Chinese smartphone makers.

While many of us were enjoying some time off for Thanksgiving, the US government took drastic action against Huawei and four other Chinese companies. The hardest hit are Huawei and ZTE, as the ban prevents any new products from being approved for the US market. The other three companies are Dahua and Hikvision, which make video surveillance equipment, and Hytera, which makes radio systems. FCC Commissioner Brendan Carr noted the seriousness of the decision.

[As] a result of our order, no new Huawei or ZTE equipment can be approved. And no new Dahua, Hikvision, or Hytera gear can be approved unless they assure the FCC that their gear won’t be used for public safety, security of government facilities, & other national security purposes.

There is even the potential that previously approved equipment could have its authorization pulled. The raw FCC documents are available, if you really wish to wade through them. What’s notable is that two diametrically opposed US administrations have both pushed for this ban. It would surely be interesting to get a look at the classified reports detailing what was actually found. Maybe in another decade or two, we can make a Freedom of Information Act request and finally get the full story.

Fuzzing for Recollapse

[0xacb] has a fun new technique to share, that he calls REcollapse. It’s all about regular expressions that get used in user input validation and sanitation. Regex is hard to really get right, and is full of quirks in how different languages and libraries implement it. A simple example is an email address that contains “punycode” — non-ASCII Unicode characters. It’s perfectly legitimate for an address to contain Unicode, but many normalization schemes collapse unicode strings down into the nearest approximation of ASCII. Take exámple.com and example.com. If some part of a web service sees these as the same thing, and another backend service keeps sees them as unique, that mismatch could allow account takeover. Enter your email here to receive a password reset link.

The novel thing here is a structured approach to fuzzing for these problems. [0xacb] suggests identifying “regex pivot positions”, places in a string where there could be unexpected or inconsistent regex matching. A very different example of this is the end-of-string symbol, $. A developer might use this to specify that a given pattern should only be matched when it’s at the very end of a string. But what happens when there’s a newline embedded in the string? It depends on the language. Yikes!

REcollapse is now available as an Open Source tool, and works great to feed fuzzing inputs into an automated tool. Run it against a target, and watch for different responses. Find something good enough, and profit!

Phishing With Smart Watches

The team at Cybervelia have cooked up yet another way to spear-phish a target. Many of us have smart watches, and one of the most useful functions of those wrist-mounted marvels is to glance at a SMS or other message without fishing out a phone. Could an attacker, with a Bluetooth Low Energy antenna, spoof a text message to a nearby smart watch? After some reverse engineering work, absolutely. With the right message, like “need help, 2nd floor”, the target might just start moving without checking the phone and discovering the spoof.

Real-time Malware Hunting

This one’s fun, as the researchers at Phylum found yet another malicious PyPi package campaign back on the 15th. Their tooling alerted them to the activity very early in the campaign, as packages were being uploaded and the payload was still being fine-tuned. That payload was being developed on Github, so there was only one thing to do.

The union of memes and security research is a wondrous thing. The packages were reported, removed, and it looks like this particular malware campaign was eliminated before it really got started.

This does lead to a hilarious tangent from Phylum, about some of the laughably terrible attempts at malware they’ve discovered in other campaigns. There’s a certain poetic justice to be found in malware refusing to run, because the deobfuscation routine checks for the acknowledgement string and errors out when it’s tampered with.

Lastpass Breach Continued

Lastpass has updated their security incident report, noting that there seems to have been follow-on access of data. They noticed “unusual activity within a third-party cloud storage service”, which usually means Amazon’s AWS. The story here seems to be that a token to the storage service was snagged during the August compromise, and was just now used for more mischief. This does raise some uncomfortable questions about how well Lastpass understands what data was accessed in the earlier breach. That said, cleaning up after an incident is a complicated task, and missing a single AWS token in the action is all too easy.

Another “Legitimate” Commercial Spyware Vendor

In the just-what-we-needed category, the latest report from Google’s Threat Analysis Group names Variston as previously unknown player in the commercial malware game. Like NSO Group and others, Variston seems to have access to 0-day exploits in multiple devices and platforms.

A trio of bug reports were opened in the Chrome bug system, and each contained a mature framework and exploit code for a serious bug. Each of these were known and fixed bugs, but piecing together the clues would indicate that they were being used as 0-days by a vendor, probably Variston. It’s not uncommon for the “legitimate” spyware authors like the NGO Group, the NSA, and others, to properly report bugs once they’ve finished exploiting them, or assumably once a target has discovered the exploit.

500 Years Later

There’s a concept in encryption, that pretty much any encryption scheme is theoretically breakable, given enough time and technological innovation. As an example, see the rate at which quantum computers are developing, and the predicted breakdown of some classical crypto. The philosophy that spills out of this reality is that crypto just needs to be strong enough, that the secrets being protected are entirely stale by the time technology and computing power catch up. Which finally brings us to the story, that Emperor Charles V got nearly 500 years out of his cipher. Probably strong enough.

It turns out that this cipher had some clever elements, like multiple symbols that didn’t mean anything at all, just to make it harder to figure out. The real breakthrough was finding a cipher text that had been loosely translated. It was enough to finally figure out the basic rules. So what was in the central letter that was finally deciphered? Political maneuvering, fears of assassination, and a conspiracy to spread fake news to downplay a setback. Some things never change.

Font Fingerprint

There was a Reddit post over the break that caught our attention, where a user wired money online from his bank in England to Kenya, to pay for a trip. It was a legitimate transaction, but triggered the fraud protection from his bank. In the conversation with the fraud department, one of the flags for possible fraud surprised the Redditor in question: You have TeamViewer installed on your computer.

Now wait. That’s a bit disconcerting, a website can see your list of installed programs? No, not directly. There is no web API to list applications, at least, not since ActiveX died. However, there is an API to list installed fonts. And since Teamviewer brings its own font, it’s pretty easy to detect when it’s installed. And let’s face it, a remote controlled desktop is a reasonable flag for malicious activity. So now you know, your fonts may just be fingerprinting you.

Bits and Bytes

The Google Play store has ejected a pair of mildly popular apps, that were spying on users’ SMS messages. The data collection was incidental, and the real point was to enable fake accounts on various web services, using the victim’s cell phone numbers. Need a hundred Twitter accounts? Rent access to a hundred compromised phones, to use those numbers for the activation flow.

Need to get something past a plagiarism checker? Just rot13 and change the font! It’s a silly demonstration, but it does indeed work. Make your own font to change the letter mapping, and then apply the reverse mapping to the underlying text. To the human eye, it’s the same, but to an automated tool it’s garbage. Save as PDF, and off you go. While circumventing a plagiarism filter is a bad idea, this could have other, more positive uses, like censorship circumvention.

Black Hat 2022 videos are available, only three months later. There are some fun presentations in here, like the Starlink hack, analysis of real-world malware campaigns, and lots of software getting compromised. Enjoy!

The U.K. government on Tuesday said it will ask parliament for wide-reaching powers to oversee telecoms operators' security policies, including cracking down on operators' use of Chinese equipment for future 5G networks.

The Telecoms Security Bill would allow the government to force operators to rip out equipment from "high-risk" telecom vendors when rolling out 5G networks, according to a statement by the U.K.'s Department for Digital, Culture, Media and Sport. U.K. authorities have previously designated Chinese vendors Huawei and ZTE as "high-risk."

Digital Secretary Oliver Dowden said the bill "will provide the U.K. one of the toughest telecoms security regimes in the world and allow us to take the action necessary to protect our networks."

The draft law implements an earlier decision by the U.K. government to ban purchases of Huawei's 5G equipment.

The bill would also provide the telecoms regulator Ofcom new responsibilities to oversee operators’ security policies and impose fines of "up to 10 percent of turnover or £100,000 a day" in case operators don't comply, the department said.

The law aims to beef up requirements for everything from equipment to software that runs internet traffic and traditional telecoms data over 5G networks. The government plans to introduce follow-up legislation specifying requirements on how it expects operators to design telecom networks, protect them from cyberattacks and audit security.

A Huawei employee rests under his cubicle during his lunch break in Shenzhen, China. This is a common practice at many workplaces in China, photographer Kevin Frayer said.

The Chinese company Huawei is one of the giants of the tech industry. It’s the world's largest provider of telecommunications equipment, a leader in next-generation 5G technology, and last year it passed Apple to become the second-biggest smartphone seller in the world.

But to many, especially in the West, there’s still an air of mystery around it.

And in the United States, suspicion.

A thermal engineer performs a heat test in the research-and-development area of a Huawei facility in Shenzhen.

Huawei employees leave work at the end of a week in late April.

For years, Washington has been concerned that the Chinese government could use Huawei equipment to spy on other nations. The US government says Huawei could pose a threat to national security because it’s unable to say no to the Chinese government.

Huawei has pushed back against those allegations, saying it would refuse any Chinese government requests to gain access to the technology it sells to telecom operators. But last week, the Trump administration blacklisted the company, placing it on a list of foreign firms barred from receiving components from US exporters without a license.

Huawei employees work on a production line in Dongguan, China.

A Huawei engineer displays parts in a research-and-development area.

A display for facial recognition and artificial intelligence is seen on monitors at Huawei's Bantian campus in Shenzhen.

In an effort to dispel some of the mystery surrounding it, Huawei has recently opened up its facilities to international media.

Kevin Frayer, a Getty Images photographer based in Beijing, traveled to southern China in April to visit three of Huawei’s campuses.

“My goal was to take people a step beyond the breaking news and Huawei headlines, to provide them a sense of what the company looks like and to see who works there,” he said.

A worker in Huawei's cybersecurity lab works on his computer in Dongguan.

A Huawei engineer opens the door of a server unit during a tour of the cybersecurity lab in Dongguan.

Huawei has 180,000 employees worldwide. More than a third of them work at the campuses Frayer visited in Dongguan and nearby Shenzhen, which is considered China’s Silicon Valley.

The employees he encountered work in a variety of roles: production, research and development, and finance, just to name a few.

“Jobs at Huawei are coveted,” Frayer said. “It’s among the highest-paying companies in China for highly skilled workers, and many of its employees have been educated overseas and at the country’s top schools. Some of the brightest minds are hired away from other companies, and Huawei has also been luring foreign experts to join.”

Huawei employees play pool after work, at a recreation area in staff housing.

Huawei employees use treadmills in a company gym after work.

Frayer marveled at the size of the campuses he visited, especially Huawei’s headquarters in Shenzhen and the European-style research-and-development campus in Dongguan.

“When you first arrive, it is a bit overwhelming how spread out everything is,” he said. “There are restaurants and cafes, sports facilities and its own transportation system. They have villas and fancy dining rooms for high-level clients and low-cost housing for employees.

“At the new European-style campus, the buildings are designed to reflect the company founder’s training as an architect. And every day after lunch, the lights are dimmed in most offices so workers can nap, which is common at companies in China.”

An aerial view of Huawei’s European-style research-and-development campus in Dongguan.

Huawei workers look at their smartphones as they line up for lunch at the Dongguan campus.

An employee sleeps at her cubicle during her lunch break.

Frayer said the campuses feel like university campuses: quiet and relaxed, unlike much of the country.

“The only reminders that you’re in China were the crowds at lunch hour and the end of the work day,” he said.

Frayer was able to talk to some employees, and many of them expressed concern about what they see as misconceptions about the company.

“They were very aware of the political challenges and the American view, and they went to lengths to explain that Huawei is a tech company trying to innovate like any other tech company — as one engineer put it, to make things that make life easier.”

Huawei employees leave at the end of a workday in Dongguan.

A Huawei worker moves boxes on a train used by employees, clients and visitors at the campus in Dongguan.

Some of the research-and-development areas were off-limits in the interest of protecting intellectual property, and Frayer was asked at times not to photograph some clients. But overall, he said, Huawei was very open in what they allowed.

He called the company a “juggernaut” and a source of national pride in China.

“It’s hard to really know what it’s like to work there, but people generally looked happy and interested in what they are doing,” Frayer said. “You could feel that it’s big and important and it’s growing.”

An employee looks at her smartphone as a woman serves tea at a cafe on the company’s Bantian campus in Shenzhen.

A member of Huawei's reception staff arranges chairs in a private dining room that’s used for high-profile customers.

CNN’s Sherisse Pham and Julia Horowitz contributed to this report.

Kevin Frayer is a Getty Images photographer based in Beijing. Follow him on Facebook, Instagram and Twitter.

Photo editor: Brett Roegiers

Chinese technology giant Huawei has said security issues raised in a Government report could take between three and five years to resolve.

Catching a killer clown

Marlene Warren answered the door to her Wellington, FL, home and was fatally gunned down by a mysterious clown. Despite eyewitnesses, circumstantial evidence, and the identification a suspect early on, it would take more than 30 years for her killer to face justice.

For sharing news, please enter the email address of you and the receiver, then press SEND button.*Mandatory Fields

Enter email addresses, separated by semicolon (;). E.g. a@a.com;b@b.com