If you needed yet another reason not to trust VPN providers or proxy services...

Here Facebook partnered with a bunch of companies to have root certificates installed on people's phones so they could intercept other app's traffic.

storage.courtlistener.com/recap/gov.usco…
Here Facebook acquired Onavo and had quite a good run before the spyware got pulled from app stores.

At a $120 million dollar price point it's clear how much value they put on having the ability to intercept user's mobile traffic.

en.wikipedia.org/wiki/Onavo

I recently found two very interesting Linux binaries uploaded to Virustotal.

I call this malware 'GTPDOOR'.

GTPDOOR is a 'magic/wakeup' packet backdoor that uses a novel C2 transport protocol: GTP (GPRS Tunnelling Protocol), silently listening on the GRX network (1/n) 🧵 One version uploaded from 🇨🇳 has zero detections on VT. The other, uploaded from 🇮🇹 has just one detection.

These were uploaded 4 to 5 months ago.

(2/n)

The Chinese APT contractor leak contained a few interesting files; namely:

- CDRs (Call Detail Records)
- LBS (Location Based Services) db records

Threat actors compromise telcos with the aim to obtain subscriber metadata to support IC objectives.

Some background: (1/5)🧵 CDRs are primarily used for postpaid billing and reporting purposes. They are generated in various network elements and consolidated in mediation systems.

It's these central databases that are often targeted. Data for a subscriber is generated in many systems:

(2/5)

With the (fake) toothbrush botnet story still fresh, Colgate's connected Bluetooth toothbrush caught my eye on discount at the local supermarket.

"Hi there, let's get to know each other"

Sure, let's do this. What will we learn? (1/n) 👇 Happy to see that the Android app has responsibly requested the minimum permissions for BLE scanning. I kind of was expecting it to request my location for this which it didn't. (2/n)

This invasive Bluetooth car battery monitor was found to be sending the following location data to 🇨🇳

- GPS
- Wifi devices
- Cell phone towers

The Apple and Google app stores said no personal data was collected.

A new update has emerged. Let's see what was changed 👇(1/n) Before we begin the investigation, a coverage map of where these devices have been found across planet earth.

Collected Bluetooth beacon data from reveals they are everywhere. There are likely hundreds of thousands of these roaming about.

(2/n) https://t.co/uOgelr8q3s https://t.co/WWCAzaungnwigle.net
twitter.com/i/web/status/1…

A twitter user mentioned the mobile app for their “smart” wifi connected power plug was requesting their location.

The app has more then 1 million downloads.

Curious, I ordered the ‘Meross’ branded device and it’s just arrived.

What will we find? Let’s dig in ..🧵 Let's see how we can pair with the minimum amount of granted permissions.

Discover "nearby devices" with Bluetooth enabled is a mandatory. It then prompts for precise and approx. location.

Hit deny.

We have to manually connect to the device - it's turned into a wifi AP.… https://t.co/fFQzvrJtLrtwitter.com/i/web/status/1…

A friend asked me to find out why his connected lightbulb app was asking for his location, so I ducked out to Australia’s favourite hardware store, Bunnings, and grabbed one to check out.

The Android grid connect app has 500k+ downloads.

Let’s take a quick look! 🧵
(1/n) The app has a feature where it can auto discover your BLE devices. Is locations permission needed here? It depends. From Android API SDK v31 things have improved where fine location is not needed for BLE scanning.

The app is forcing this even though we are on v31.

(2/n)