Security News

A set of nine malicious Android apps that steal Facebook credentials were found on Google Play, which racked up a collective 5.9 million installations before Google removed them. The malicious apps were detected as trojans called Android.

Google has launched an updated version of Scorecards, its automated security tool that produces a "Risk score" for open source initiatives, with improved checks and capabilities to make the data generated by the utility accessible for analysis. "With so much software today relying on open-source projects, consumers need an easy way to judge whether their dependencies are safe," Google's Open Source Security Team said Thursday.

Google has announced it is moving away from the APK format for Android apps. So when it was announced that Google was moving away from APKs on Android, in favor of Android Play Bundles, my mind went to one very particular place.

If you don't like the idea of your Android search history being saved, Jack Wallen wants to show you how to set it to auto-delete. You might not know this, but out of the box, Android retains your search history, which means anyone who gains access to your phone can view what you've searched for.

Google's Open Source security team, in collaboration with the Open Source Security Foundation community, today announced an update to the Scorecards project to include more security checks. An automated security tool, the Scorecards project provides risk scores for open source projects, to help users, developers, and enterprises stay informed on the security risks associated with their dependencies, as well as to make informed decisions about them.

Google is working on adding an HTTPS-Only Mode to the Chrome web browser to protect users' web traffic from eavesdropping by upgrading all connections to HTTPS. This new feature is now being tested in the Chrome 93 Canary preview releases for Mac, Windows, Linux, Chrome OS, and Android. Google has previously updated Chrome to default to HTTPS for all URLs typed in the address bar if the user specifies no protocol.

A security researcher has disclosed the details of a vulnerability that can be exploited to take over virtual machines on Google Cloud Platform. Rad decided to disclose the vulnerability due to Google's failure to fix the issue and provide information on its progress.

Google Compute Engine virtual machines can be hijacked and made to hand over root shell access via a cunning DHCP attack, according to security researcher Imre Rad. Though the weakness remains unpatched, there are some mitigating factors that diminish the potential risk. A successful attack involves overloading a victim's VM with DHCP traffic so that it ends up using a rogue attacker-controlled metadata server, which can be on the same network or on the other side of the internet.

An unpatched security vulnerability affecting Google's Compute Engine platform could be abused by an attacker to take over virtual machines over the network. "This is done by impersonating the metadata server from the targeted virtual machine's point of view," security researcher Imre Rad said in an analysis published Friday.

Google on Monday announced new security measures for developer accounts on Google Play, meant to ensure that each account is created by a real person. Google Play, which provides access to millions of Android applications and games, has been abused by threat actors for the distribution of malware, and Google is looking for new ways to strengthen the security of both developers and users.