IT NEWS

Sometimes the updates we install to keep our devices safe do a little bit more than we might suspect at first glance. Take the October 2024 Android Security Bulletin.

It included a new service called Android System SafetyCore. If you can find a mention of that in the security bulletin, you’re a better reader then I am. It wasn’t until a few weeks later, when a Google security blog titled 5 new protections on Google Messages to help keep you safe revealed that one of the new protections was designed to introduce Sensitive Content Warnings for Google Messages.

Sensitive Content Warnings is an optional feature that blurs images that may contain nudity before viewing, and when an image that may contain nudity is about to be sent or forwarded, it will remind users of the risks of sending nude imagery and preventing accidental shares.

Wait! What?

Yes, there is now a service on my phone that checks whether your pictures are “decent enough” to send or share? I’m not oblivious to the many users that would be better off with such a service, but I’m not so sure they’d appreciate it.

However, what really concerned me is the fact that Google is looking at my incoming and outgoing pictures. I use end-to-end-encrypted (E2EE) messaging for a reason. The content is for me and the receiver, and no-one else, and that definitely includes Google.

But, again, no mention of SafetyCore in that blog or what will provide the Sensitive Content Warnings feature with the necessary data.

So, you can imagine the surprise and outrage when users found this service which doesn’t show up on the regular list of running applications that has permissions to do almost anything on the device.

And by looking up what this app called SafetyCore was all about, all of the above starts to make sense.

Google PlayStore says:

“SafetyCore is a Google system service for Android 9+ devices. It provides the underlying technology for features like the upcoming Sensitive Content Warnings feature in Google Messages that helps users protect themselves when receiving potentially unwanted content. While SafetyCore started rolling out last year, the Sensitive Content Warnings feature in Google Messages is a separate, optional feature and will begin its gradual rollout in 2025. The processing for the Sensitive Content Warnings feature is done on-device and all of the images or specific results and warnings are private to the user.”

Google goes on to reassure:

• The developer says that this app doesn’t collect or share any user data. 
• The developer says that this app doesn’t share user data with other companies or organizations. 
• The developer says that this app doesn’t collect user data.
• The developer has committed to follow the Play Families policy for this app. 

Google promises that it only rates our pictures and does not collect or share them, but this feature has almost Artificial Intelligence (AI) written all over it. As we all know, an AI needs to be trained, and training an AI locally on your phone is hardly an option. I wish it had the necessary power, but it doesn’t.

I for one don’t see how the secretly installed service measures up to what the feature has to offer. But obviously everyone is entitled to their own opinion and the device is yours to do with as you please.

How to uninstall or disable SafetyCore

The good people at ZDNet provided instructions on how to get rid of SafetyCore or disable it if you would like to do so.

So, if you wish to uninstall or disable SafetyCore, take these steps:

1. Open Settings: Go to your device’s Settings app
2. Access Apps: Tap on ‘Apps’ or ‘Apps & Notifications’
3. Show System Apps: Select ‘See all apps’ and then tap on the three-dot menu in the top-right corner to choose ‘Show system apps’
4. Locate SafetyCore: Scroll through the list or search for ‘SafetyCore’ to find the app
5. Uninstall or Disable: Tap on Android System SafetyCore, then select ‘Uninstall’ if available. If the uninstall option is grayed out, you may only be able to disable it
6. Manage Permissions: If you choose not to uninstall the service, you can also check and try to revoke any SafetyCore permissions, especially internet access

Note: depending on the software version and manufacturer of your device, these instructions may be slightly off. I personally couldn’t test them because my Samsung has not received the October patch yet due to the patch gaps.

If you’d like to learn more about AI and encrypted messaging, we recommend listening to our podcast The new rules for AI and encrypted messaging, with Mallory Knodel (Lock and Code S06E01)

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Employment screening company DISA Global Solutions has filed a data breach notification after a cyber incident on their network.

DISA says a third party had access to its environment between February 9, 2024, and April 22, 2024. The attacker may have accessed over three million files containing personal information.

DISA is a third-party administrator of employment screening services, including drug and alcohol testing and background checks. DISA discovered the breach on April 22, 2024, and has since conducted an investigation with the help of third-party forensic experts.

This is one of these cases where a company most people have never heard of has amassed a mountain of information about many people. These data brokers gather information from several sources and sell them on to interested buyers. DISA provides these services to over 55,000 companies.

During the investigation, DISA was unable to determine the specifics of the stolen data, but everyone whose data may have been compromised will get a detailed breach notification letter, specifying the type of data.

This letter will also include details about free access to 12 months of credit monitoring and identity restoration services through Experian for which you must enrol by June 30, 2025.

Given the field that DISA is active in, that information could interest cybercriminals for use as background information for targeted phishing attempts or extortion. The Massachusetts breach report tracker that at least some Social Security Numbers were involved.

DISA states that it’s not aware of any attempts to abuse the stolen information:

“While we are unaware of any attempted or actual misuse of any information involved in this incident, we are providing you with information about the incident and steps you can take to protect yourself, should you feel it necessary.”

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

A malicious app claiming to be a financial management tool has been downloaded 100,000 times from the Google Play Store. The app— known as “Finance Simplified”—belongs to the SpyLoan family which specializes in predatory lending.

Sometimes malware creators manage to get their apps listed in the official app store. This is a great benefit for them since it lends a sense of legitimacy to the app, and they don’t have to convince users to sideload the app from an unofficial site.

So, it gives them a much larger audience, they can lean on the trust we invest in the official app stores and users don’t have to do anything they might perceive as suspicious.

While Google has enhanced security measures in place—including AI-powered threat detection and real-time scanning— that are designed to detect and block malicious apps more effectively, the cat-and-mouse game between cybercriminals and security measures continues, with each side trying to outsmart the other.

In this case, the loan app evaded detection on Google Play, by loading a WebView to redirect users to an external website from where they could download the app hosted on an Amazon EC2 server.

Predatory lending is any lending practice where the borrower is taken advantage of by the lender. Predatory lenders impose lending terms that are unfair or abusive.

The apps in the SpyLoan family offer attractive loan terms with virtually no background checks. But when the apps are installed, they steal information from the victim’s device that can be used to blackmail the victim. Especially when they miss any payments on the loan.

Among the stolen information are listed contacts, call logs, text messages, photos, and the device’s location.

Although the app has now been removed from Google Play, it may continue to run on affected devices, collecting sensitive information in the background.

The researchers found that the app only targets users in India with the recommended loan applications and the redirect to an external website.

The information stolen from users could well be used for malicious purposes or sold to other cybercriminals.

Losing data related to a financial account can have severe consequences. If you find an app from this family or another information stealer on your device, there are a few guidelines to follow to limit the damage:

• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

This week on the Lock and Code podcast…

Insurance pricing in America makes a lot of sense so long as you’re one of the insurance companies. Drivers are charged more for traveling long distances, having low credit, owning a two-seater instead of a four, being on the receiving end of a car crash, and—increasingly—for any number of non-determinative data points that insurance companies use to assume higher risk.

It’s a pricing model that most people find distasteful, but it’s also a pricing model that could become the norm if companies across the world begin implementing something called “surveillance pricing.”

Surveillance pricing is the term used to describe companies charging people different prices for the exact same goods. That 50-inch TV could be $800 for one person and $700 for someone else, even though the same model was bought from the same retail location on the exact same day. Or, airline tickets could be more expensive because they were purchased from a more expensive device—like a Mac laptop—and the company selling the airline ticket has decided that people with pricier computers can afford pricier tickets.

Surveillance pricing is only possible because companies can collect enormous arrays of data about their consumers and then use that data to charge individual prices. A test prep company was once caught charging customers more if they lived in a neighborhood with a higher concentration of Asians, and a retail company was caught charging customers more if they were looking at prices on the company’s app while physically located in a store’s parking lot.

This matter of data privacy isn’t some invisible invasion online, and it isn’t some esoteric framework of ad targeting, this is you paying the most that a company believes you will, for everything you buy.

And it’s happening right now.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Consumer Watchdog Tech Privacy Advocate Justin Kloczko about where surveillance pricing is happening, what data is being used to determine prices, and why the practice is so nefarious.  

“It’s not like we’re all walking into a Starbucks and we’re seeing 12 different prices for a venti mocha latte,” said Kloczko, who recently authored a report on the same subject. “If that were the case, it’d be mayhem. There’d be a revolution.”

Instead, Kloczko said:

“Because we’re all buried in our own devices—and this is really happening on e-commerce websites and online, on your iPad, on your phone—you’re kind of siloed in your own world and companies can get away with this.”

Tune in today for the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Last week on Malwarebytes Labs:

• Healthcare security lapses keep piling up
• SecTopRAT bundled in Chrome installer distributed via Google Ads
• Google Docs used by infostealer ACRStealer as part of attack
• DeepSeek found to be sharing user data with TikTok parent company ByteDance
• Malwarebytes introduces native ARM support for Windows devices
• Google now allows digital fingerprinting of its users
• Macs targeted by infostealers in new era of cyberthreats
• Hard drives containing sensitive medical data found in flea market

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Healthcare is one of the sectors that has the most sensitive information about us. At the same time it’s one of the worst at keeping them secret.

Because of its access and storage of our personal health information (PHI) and other personally identifiable information (PII), the healthcare sector should be one of the most secure ones, but due to lack of funding and other resources, it is not.

One of the most impactful data breaches last year was of Change HealthCare, which impacted an estimated 190 million people.

In recent news, security researcher Jeremiah Fowler, who specializes in finding unprotected databases, uncovered a non-password-protected database that contained over 1.6 million records belonging to DM Clinical Research.

DM Clinical Research is a Texas-based clinical trial network that conducts studies in 30 research centers across the US. The company connects patients with physicians to conduct studies for new or alternative medicines, providing clinical trials as a treatment option to patients.

Although the records belonged to DM Clinical Research, it is not known if the database was owned and managed directly by them or by a third-party contractor. It is also not known how long the database was exposed before Fowler discovered it or if anyone else gained access to it.

The unprotected database contained 1,674,218 records which included names, dates of birth, phone numbers, email addresses, vaccination statuses (including specific vaccines received), current medications, and other health conditions that the survey recipients may have.

Insurance companies have shown that their interest in buying specific medical information, like prescriptions that identify medical conditions—such as HIV, cancer, or psychiatric disorders. And data brokers that can get a hold of that type of information will gladly sell it to them.

Cybercriminals can use PHI against affected individuals to phish or extort them. But a breach can also have dire financial consequences for the healthcare organization in question.

As Health Net Federal Services (HNFS) and its parent company, Centene Corporation found out. HNFS allegedly failed to implement the required cybersecurity measures while administering health benefits for American military service members and their families. To make things worse, the Defense Health Agency of the US Department of Defense accused HNFS of falsely attesting compliance on at least three occasions.

HNFS denies all the allegations and maintains that no data breaches or loss of servicemember information occurred, but they still agreed to pay $11,253,400 to settle the allegations.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

Criminals are once again abusing Google Ads to trick users into downloading malware. Ironically, this time the bait is a malicious ad for Google Chrome, the world’s most popular browser.

Victims who click the ad land on a fraudulent Google Sites page designed as a intermediary portal, similar to what we saw earlier this year with the massive Google accounts phishing campaign.

The final redirect eventually downloads a large executable disguised as Google Chrome which does install the aforementioned but also surreptitiously drops a malware payload known as SecTopRAT.

We have reported this incident to Google, but at the time of writing the fake Google Sites page is still up and running.

Distribution: Ad and Google Sites combo

We identified a suspicious ad when searching for “download google chrome“. If you look at the URL embedded in the sponsored result, you will notice it shows “https://sites.google.com“, which is Google’s free website builder.

While most pages hosted on there are legitimate, it’s good to remember that they are user generated and that abuse is a part of any open platform. It’s also a way for criminals to cleverly appear as legitimate when building fake ads.

Malware payload

Once a user double clicks on GoogleChrome.exe the fake Chrome installer connects to hxxps[://]launchapps[.]site/getCode[.]php and retrieves the necessary instructions. Below, we can see how it requests to run as administrator in order to perform certain actions that require this access level.

A PowerShell command adds an exclusion path to the %appdata%Roaming directory so that Windows Defender does not trigger when the malware payload is extracted.

An encrypted data stream is downloaded from hxxps[://]launchapps[.]site/3[.]php?uuid={}_uuid and then decrypted:

The executable named decrypted.exe (PDB path: D:awix4wix4buildburnReleasex64burn.pdb) is then dropped to %AppData%RoamingBackupWin and unpacks the final payload, waterfox.exe. Side note: it has the same name and icon as the Waterfox browser (an open-source fork of the Firefox web browser).

The malicious code is then injected into the legitimate MSBuild.exe process which communicates with the attackers’ command and control infrastructure at the following IP: 45.141.84[.]208. From this, we identify the malware payload as SecTopRAT, a remote access Trojan with stealer capabilities.

Lastly, to make sure victims are completely fooled, it finishes by downloading and installing the legitimate Chrome browser. From the installation script, we see other campaigns the same threat actors are running in parallel for fake Notion and Grammarly installers.

Conclusion

Downloading and installing software provides an opportunity for threat actors as long as they are able to compromise the delivery chain. Search ads provide that entry point by leveraging the trust users have in their search engine. It is somewhat ironic but also damning when malicious ads impersonate the same platform that allows them in the first place.

The fake Chrome installer we reviewed in this blog post cleverly retrieved its malicious payload dynamically from a remote site and only decrypted it after making sure Windows Defender would not be able to scan it. The ruse was complete when the actual legitimate Google Chrome installer was downloaded and installed.

Malwarebytes users were already protected from this attack, with Browser Guard blocking the malicious ad and Premium Security Antivirus detecting the dropped payload.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Indicators of Compromise

Google Sites

sites[.]google[.]com/view/gfbtechd/

Fake Chrome download

chrome[.]browser[.]com[.]de
chrome[.]browser[.]com[.]de/GoogleChrome.exe
48fdfbe23eef7eddff071d3eda1bc654b94cf86036ca1cca9c73b0175e168a55

Payload host

launchapps[.]site

decrypted.exe

f0977c293f94492921452921181d79e8790f34939429924063e77e120ebd23d7

waterfox.exe

0f9b2870c4be5ebacb936000ff41f8075ec88d6535161a93df8e6cfea2d8db54

C2

hxxps[://]pastebin[.]com/raw/eB8bmiVA
45.141.84[.]208

An infostealer known as ACRStealer is using legitimate platforms like Google Docs and Steam as part of an attack, according to researchers.

ACRStealer is often distributed via the tried and tested method of download as cracks and keygens, which are used in software piracy. The infostealer has been around since mid-2024 (as a beta test), but it’s only really taken off in 2025. ACRStealer is capable of:

• Identifying which antivirus solution is on a device
• Stealing crypto wallets and login credentials
• Stealing browser information
• Harvesting File Transfer Protocol (FTP) credentials
• Reading all text files

With that kind of information, cybercriminals can go after your cryptocurrency and other funds. With the capture of usernames and passwords from web browsers, attackers can access your accounts, including email, social media, and financial services.

They may even gather enough personal data to be used for identity theft or sold on the dark web.

What stands out in the recently-found ACRStealer variants is the way they communicate with the command and control (C2) server—a computer which is used to send commands to systems compromised by malware and receive stolen data from a target network. Rather than hard-coding the IP address in the malware, they chose to use a method called Dead Drop Resolver (DDR), where the malware contacts a legitimate platform like Google Docs or Steam to read what the C2 domain is.

This is good for the cybercriminals as it means they can easily change the domain if one gets discontinued, seized, or blocked. All they need to do is update the Google Doc.

And outgoing calls to docs.google.com will not easily trigger an alarm, so it helps in staying under the radar.

Stay safe from the ACRStealer

Like many other information stealers, ARCStealer is operated under the Malware-as-a-Service (MaaS) model, where criminals rent out the malware and the infrastructure to other criminals. That makes it hard to know exactly how to defend yourself.

However, there are some things you can do:

• Stay away from websites offering cracks and keygens
• Download software from the official publisher wherever possible
• Don’t click on links in unsolicited communications (email, texts, DMs, etc)
• Don’t open unverified attachments
• Use multi-factor authentication (MFA) wherever you can, so even if cybercriminals steal your login details they won’t be able to get into your account
• Use an active and up-to-date anti-malware solution.

Malwarebytes recognizes new variants of ACRStealer by behavior, which will result in the detection name of Malware.AI.{ID-number}.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A couple of weeks ago we reported on the concerns surrounding data collection and security at DeepSeek, the Chinese AI company which recently made headlines for shaking up the industry after seemingly appearing from nowhere to become top of the app download charts.

Now South Korea’s Personal Information Protection Commission (PIPC) says it has uncovered evidence that DeepSeek has secretly been sharing data with ByteDance, the parent company of popular social media app TikTok.

PIPC said that DeepSeek—an app with over one million downloads at the time of writin—automatically transmitted information to ByteDance servers every time users accessed the app, doing so without disclosure or explicit consent. PIPC told South Korea’s Yonhap News Agency that it was “yet to confirm what data was transferred and to what extent.”

In response to the investigation, South Korea has removed DeepSeek from app stores, advised users against sharing personal information through the app, and is considering strengthening regulations on foreign companies in the country.

TikTok and parent company ByteDance have faced significant controversy themselves in the past; coming under ongoing scrutiny for mishandling customer data, being labelled an “unacceptable security risk” by the FCC, and being reprimanded for misusing children’s data. These ongoing data protection issues prompted the US to initially instigate a ban on TikTok from January 18 before a presidential executive order issued by the new administration restored service and delayed the enforcement of the ban for an additional 75 days.

Although perhaps unsurprisingly, this controversy again raises serious questions and concerns about the crossover between the data-harvesting and sharing practices employed by emerging AI technologies and data protection, an especially critical issue as the use of AI accelerates and begins to play an ever more prominent and constant role in our everyday experiences of technology and media.

It also further illustrates the necessity for proper inquiry into these practices and may indicate an urgent need for transparent and comprehensive international regulations on data privacy, with some nations like Italy and Australia already leading the way in taking action against AI applications like DeepSeek over these issues.

What can you do?

• Avoid sharing personal information: Never input sensitive or personal data into generative AI apps.
• Select AI apps carefully: Choose generative AI apps with caution, prioritizing reputable ones that value user privacy and security.
• Disable chat saving: Turn off chat history to minimize the storage of your conversations.
• Manage app permissions: Review the app’s requested permissions carefully. Only grant them permission to access things they absolutely need.
• Review privacy policies: Understand how your data will be used and stored by the app.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

This content is password protected. To view it please enter your password below:

Password: