Category Archives: Mobile

Acropalypse flaw in Google Pixel’s Markup tool allowed the recovery of edited images

The Acropalypse flaw in the Markup tool of Google Pixel allowed the partial recovery of edited or redacted screenshots and images.

Security researchers Simon Aarons and David Buchanan have discovered a vulnerability, named ‘Acropalypse,’ in the Markup tool of Google Pixel. The Markup tool is a built-in Markup utility, released with Android 9 Pie that allows Google Pixel users to edit (crop, add text, draw, and highlight) screenshots.

The vulnerability allowed the partial recovery of the original, unedited image data of a cropped and/or redacted screenshot.

Aarons described how to exploit the vulnerability via Twitter. Let’s imagine a user uploading a screenshot from a bank app or website that includes an image of his payment card.

The user uses the Markup’s Pen tool to remove the payment card data number from the image before sharing it on a service, like Discord.

The vulnerability in the Markup tool could have allowed an attacker that downloaded the image to perform a “partial recovery of the original, unedited image data of cropped and/or redacted screenshot.”

The exploitation of the bug can allow an attacker to remove the black lines used to hide the card number, as well as ~80% of the full screenshot, which might include other sensitive information.

“The third panel is titled “Recovered image” and depicts a fake bank website. The top 20% of the image is corrupted, but the remainder of the image – including a photo of the credit card with its number visible – is fully recovered.” Aarons explained.

The duo has also published a demo utility that allows the owners of the Pixel devices to test their own redacted images and see if they are recoverable. The experts also announced that they will publish a FAQ shortly.

When an image is cropped using Markup, it saves the edited version in the same file location as the original. However, it does not erase the original file before writing the new one. If the new file is smaller, the trailing portion of the original file is left behind, after the new file is supposed to have ended.states the 9to5google website.

According to a technical analysis published by David Buchanan, the root cause of the flaw was due to this horrible bit of API “design”: https://issuetracker.google.com/issues/180526528.

“Google was passing “w” to a call to parseMode(), when they should’ve been passing “wt” (the t stands for truncation). This is an easy mistake, since similar APIs (like POSIX fopen) will truncate by default when you simply pass “w”. Not only that, but previous Android releases had parseMode(“w”) truncate by default too! This change wasn’t even documented until some time after the aforementioned bug report was made.” wrote Buchanan. “The end result is that the image file is opened without the O_TRUNC flag, so that when the cropped image is written, the original image is not truncated. If the new image file is smaller, the end of the original is left behind.”

The vulnerability, tracked as CVE-2023-21036, was reported to Google in January 2023, and the IT giant addressed it on March 13, 2023.

Despite Google has addressed the issue, the images edited with the tool and shared in the past five years are vulnerable to the Acropalypse attack.

The experts verified that there are a lot of cropped screenshots on platforms like Discord.

Buchanan wrote a script to scrape his own message history to look for vulnerable images and discovered that there were lots of them.

“The worst instance was when I posted a cropped screenshot of an eBay order confirmation email, showing the product I’d just bought. Through the exploit, I was able to un-crop that screenshot, revealing my full postal address (which was also present in the email). That’s pretty bad!” Buchanan concluded.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google Pixel)

Baseband RCE flaws in Samsung’s Exynos chipsets expose devices to remote hack

Google’s Project Zero hackers found multiple flaws in Samsung ’s Exynos chipsets that expose devices to remote hack with no user interaction.

White hat hackers at Google’s Project Zero unit discovered multiple vulnerabilities Samsung ’s Exynos chipsets that can be exploited by remote attackers to compromise phones without user interaction.

The researchers discovered a total of eighteen vulnerabilities, the four most severe of these flaws (CVE-2023-24033 and three other vulnerabilities that have yet to be assigned CVE-IDs) allowed for Internet-to-baseband remote code execution.

An attacker only needs to know the victim’s phone number to exploit these vulnerabilities.

“Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number.” reads the advisory published by Google. “With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.”

Experts warn that skilled threat actors would be able to create an exploit to compromise impacted devices in a stealthy way.

The experts recommend turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in settings of vulnerable devices to prevent baseband remote code execution attacks.

“Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities.” states the report.

Samsung Semiconductor’s advisories provide the list of Exynos chipsets impacted by these vulnerabilities. Below is a list of devices allegedly affected by these flaws:

  • Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series;
  • Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
  • The Pixel 6 and Pixel 7 series of devices from Google;
  • any wearables that use the Exynos W920 chipset; and
  • any vehicles that use the Exynos Auto T5123 chipset.

Google did not disclose technical details of these flaws to avoid threat actors could develop their own exploits.

“Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution,” said Project Zero leam lead Tim Willis.

The experts are disclosing details only for five vulnerabilities (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075 and CVE-2023-26076) that have exceeded Project Zero’s standard 90-day deadline.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Samsung’s Exynos)

Latest version of Xenomorph Android malware targets 400 banks

A new version of the Xenomorph Android malware includes a new automated transfer system framework and targets 400 banks.

The author of the Xenomorph Android malware, the Hadoken Security Group, continues to improve their malicious code.

In February 2022, researchers from ThreatFabric first spotted the Xenomorph malware, which was distributed via the official Google Play Store reaching over 50,000 installations.

The banking Trojan was used to target 56 European banks and steal sensitive information from the devices of their customers. The analysis of the code revealed the presence of not implemented features and the large amount of logging present, a circumstance that suggests that this threat is under active development.

Xenomorph shares overlaps with the Alien banking trojan, but it has functionalities radically different from the Alien’s one. 

The experts noticed that the was continuously improved during 2022 and was distributed in small campaigns. The operators first distributed the Android malware via the GymDrop dropper operation, later the malicious code was also distributed via the Zombinder operation.

Experts warn that a new variant recently discovered, tracked as Xenomorph.C, was significantly improved.

The new variant supports a new automated transfer system (ATS) framework and can target over 400 banks and financial institutions mainly from Spain, Turkey, Poland, the United States, Australia, Canada, Italy, Portugal, France, Germany, UAE, and India

“This new version of the malware adds many new capabilities to an already feature rich Android Banker, most notably the introduction of a very extensive runtime engine powered by Accessibility services, which is used by actors to implement a complete ATS framework. With these new features, Xenomorph is now able to completely automate the whole fraud chain, from infection to funds exfiltration, making it one of the most advanced and dangerous Android Malware trojans in circulation.” reads the report published by Threat Fabric. “In addition, the samples identified by ThreatFabric featured configurations with Target lists made of more than 400 banking and financial institutions, including several cryptocurrency wallets, with an increase of more than 6 times with comparison to its previous variants, including financial institutions from all continents.”

The ATS framework allows operators to automate the exfiltration of credentials, check account balances, conduct transactions, and steal money from target apps without human interaction from an operator.

The researchers explained that the scripts are received in JSON format, then are processed, and converted into a list of operations to be executed by the engine on the device.

“The engine used by Xenomorph stands out from its competition thanks to the extensive selection of possible actions that are programmable and can be included in ATS scripts, in addition to a system that allows for conditional execution and action prioritization.” continues the report.

The ATS framework is also able to extract MFA codes from third-party apps, such as Google’s authenticator application.

The experts also noticed that the authors set up a website to advertise this Android malware-as-a-service, a circumstance that confirms their intentions of entering the MaaS landscape.

The latest Xenomorph latest version also supports Cookie stealer capabilities.

“Session Cookies allow users to maintain open sessions on their browsers without having to re-input their credentials repeatedly. A malicious actor in possession on a valid session cookie has effectively access to the victim’s logged in web session.” continues the report. “Xenomorph, just like the other malware families previously mentioned, starts a browser with JavaScript interface enabled. The malware uses this browser to display the targeted page to the victim, with the intent of tricking users into logging into the service whose cookie Xenomorph is trying to extract.”

The Xenomorph malware focuses on the theft of PII such as usernames and passwords using overlay attacks.

The malware also targets popular cryptocurrency wallets, including Binance, BitPay, Coinbase, Gemini, and KuCoin.

“Xenomorph v3 is capable of performing the whole fraud chain, from infection, with the aid of Zombinder, to the automated transfer using ATS, passing by PII exfiltration using Keylogging and Overlay attacks. In addition, the Threat Actor behind this malware family has started actively publicizing their product, indicating a clear intention to expand the reach of this malware.” concludes the report. “ThreatFabric expects Xenomorph to increase in volume, with the likelihood of being one again distributed via droppers on the Google Play Store.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Xenomorph Android malware)

Canada is going to ban TikTok on government mobile devices

The Canadian government announced it will ban the video app TikTok from all government-issued devices over security concerns.

Canada is going to ban the popular Chinese video-sharing app TikTok from the mobile devices of its employees over security concerns. The app will be removed from government devices this week.

The app “presents an unacceptable level of risk to privacy and security,” explained Canada’s chief information officer.

The app developed by the Chinese firm ByteDance has over 1 billion active users worldwide, it has come under close scrutiny in the US and other countries for its alleged link with the Government of Beijing.

The US already warned of the alleged link between the Chinese company and the Communist Party, accusing TikTok of collecting and sharing data for Chinese intelligence.

Last week, the European Union has banned the popular Chinese video-sharing app TikTok from the mobile devices of its employees over security concerns. 

Prime Minister Justin Trudeau said this move might be a first step to further action or that it might be it.

“This may the first step, this may be the only step we need to take,” Prime Minister at a press conference near Toronto.

TikTok is also under the scrutiny of Canadian privacy regulators that are investigating whether the company obtains valid and meaningful consent from users when collecting their personal information.

“On a mobile device, TikTok’s data collection methods provide considerable access to the contents of the phone,” Mona Fortier, the president of Canada’s Treasury Board, said. “While the risks of using this application are clear, we have no evidence at this point that government information has been compromised.”

Source: Messagero

TikTok was disappointed by the decision of the Canadian Government that according to the Chinese firm did not provide evidence of risks posed by the mobile app.

“We are always available to meet with our government officials to discuss how we protect the privacy and security of Canadians, but singling out TikTok in this way does nothing to achieve that shared goal,” said a company spokesperson. “All it does is prevent officials from reaching the public on a platform loved by millions of Canadians.”

A similar move was adopted by the US Government that is banning the use of TikTok on all government devices by the end of February 2023 due to national security concerns related to TikTok’s ties to China

In January 2020, the US Army banned the use of the popular TikTok app on mobile phones used by its personnel for security reasons.

In November, the short-form video-sharing service updated its privacy policy for European Economic Area (“EEA”), the UK, and Switzerland and confirmed that its users’ data can be accessed by its personnel, including Chinese employees.

European user data could be also accessed by TikTok staff in Brazil, Canada and Israel as well as the US and Singapore, where user data is currently stored.

In December, TikTok parent company ByteDance revealed that several employees accessed the TikTok data of two journalists to investigate leaks of company information to the media. 

According to an email from ByteDance’s general counsel Erich Andersen which was seen by the AFP news agency, the Chinese company was attempting to discover who shared company information with a Financial Times reporter and a former BuzzFeed journalist.

The company fired an undisclosed number of employees who were involved in the data leak because they violated the company’s Code of Conduct, but it did not reveal their names.

In an attempt to discover the location of the unfaithful employees, the Chinese personnel analyzed their IP addresses, but this method was approximate.

While Western governments are banning the app from government devices, the company announced that it plans to open two more European data centers to allay data privacy and security concerns.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Canada)

The European Commission has banned its staff from using TikTok over security concerns

The European Commission has banned its employees from using the Chinese social media app TikTok over security concerns.

The European Union has banned the popular Chinese video-sharing app TikTok from the mobile devices of its employees over security concerns. The app developed by the Chinese firm ByteDance has over 1 billion active users worldwide, it has come under close scrutiny in the US and other countries for its alleged link with the Government of Beijing.

The US already warned of the alleged link between the Chinese company and the Communist Party, accusing TikTok of collecting and sharing data for Chinese intelligence.

A senior official told POLITICO that all staff was ordered on Thursday morning to remove the popular app from their official devices. The staff was also ordered to uninstall the app from their personal devices by March 15 if they were also used for professional business.

An alternative option for the staff is to delete work-related apps from their personal phones if want continues to use TikTok. 

“To protect Commission’s data and increase its cybersecurity, the EC Corporate Management Board has decided to suspend the TikTok application on corporate devices and personal devices enrolled in the Commission mobile device service,” said the email sent to staff on Thursday morning.

“The reason why this decision has been taken is to … increase the commission’s cybersecurity,” commission spokesperson Sonya Gospodinova said at a press briefing in Brussels. “Also, the measure aims to protect the commission against cybersecurity threats and actions which may be exploited for cyberattacks against the corporate environment of the commission.”

Source: Messagero

A similar move was adopted by the US Government that is banning the use of TikTok on all government devices by the end of February 2023 due to national security concerns related to TikTok’s ties to China

TikTok has yet to comment on the decision.

In January 2020, the US Army banned the use of the popular TikTok app on mobile phones used by its personnel for security reasons.

In November, the short-form video-sharing service updated its privacy policy for European Economic Area (“EEA”), the UK, and Switzerland and confirmed that its users’ data can be accessed by its personnel, including Chinese employees.

European user data could be also accessed by TikTok staff in Brazil, Canada and Israel as well as the US and Singapore, where user data is currently stored.

In December, TikTok parent company ByteDance revealed that several employees accessed the TikTok data of two journalists to investigate leaks of company information to the media. 

According to an email from ByteDance’s general counsel Erich Andersen which was seen by the AFP news agency, the Chinese company was attempting to discover who shared company information with a Financial Times reporter and a former BuzzFeed journalist.

The company fired an undisclosed number of employees who were involved in the data leak because they violated the company’s Code of Conduct, but it did not reveal their names.

In an attempt to discover the location of the unfaithful employees, the Chinese personnel analyzed their IP addresses, but this method was approximate.

While Western governments are banning the app from government devices, the company announced that it plans to open two more European data centers to allay data privacy and security concerns.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, EU Commission)

Samsung announces Message Guard feature to neutralize zero-click attacks

Samsung introduces a new protection feature called Message Guard to protect users from zero-click malware attacks.

Samsung announced the implementation of a new security feature called Message Guard that aims at protecting users from malicious code that can be installed via zero-click attacks.

Zero-click exploits allow attackers to compromise the target device without any user interaction, for example, a threat actor can exploit a zero-day issue by sending an image to the victims.

“Threats evolve, but so too does Samsung’s mobile security. Samsung Galaxy smartphones offer comprehensive safeguards with the powerful Samsung Knox platform, and users are already protected from attacks using video and audio formats.” reads a statement from the company. “Samsung Message Guard takes that security one step further by preemptively protecting your device, limiting exposure to invisible threats disguised as image attachments.”

Samsung Message Guard silently runs in the background and automatically neutralizes any potential threat that is hidden in image files. The new feature does not need to be activated by the user. 

The new feature will be immediately supported by the Samsung Galaxy S23 series, but the company plans to gradually roll it out to other devices of the Galaxy smartphone family.

The South Korean giant pointed out that it is not aware of such attacks on Samsung Galaxy smartphones, Samsung Electronics, but it constantly works to the development of preemptive security measures.

The company presents Samsung Message Guard as an advanced “sandbox,” a secure and trusted environment used to analyze every image that is received to detect hidden malicious code.

“When an image file arrives, it is trapped and isolated from the rest of the device. This prevents malicious code from accessing your phone’s files or interacting with its operating system.” continues the announcement. “Samsung Message Guard checks the file bit by bit and processes it in a controlled environment to ensure it cannot infect the rest of your device.”

Samsung Message Guard provides protection against multiple image formats, including PNG, JPG/JPEG, GIF, ICO, WEBP, BMP, WBMP.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Samsung)

Android mobile devices from top vendors in China have pre-installed malware

Researchers reported that the top-of-the-line Android mobile devices sold in China are shipped with malware.

China is currently the country with the largest number of Android mobile devices, but a recent study conducted by researchers from the University of Edinburgh and the Trinity College of Dublin revealed that top-of-the-line Android devices sold in the country are shipped with spyware.

The boffins used static and dynamic code analysis techniques to study the data transmitted by the preinstalled system apps on Android smartphones from three of the most popular vendors in China, Xiaomi, OnePlus, and Oppo Realme. The experts discovered several system, vendor and third-party apps with dangerous privileges.

The apps were designed to exfiltrate user and device information in a stealthy way, including system info, geolocation, user profile, social relationships, and call history.

The smartphones analyzed by the r researchers were observed sending data to the device vendor and the Chinese mobile network operators (e.g., China Mobile and China Unicom), even though they do not provide any service to the device (i.e. the SIM card is not present in the phone or if the SIM card used was provided by a different operator in China or in the UK).

This malicious software puts users’ privacy at risk, it could be used to spy on users and unmasking of their identities.

The experts pointed out that also users that leave the country are exposed to surveillance, through the pre-installed software.

The researchers also compared the preinstalled system apps on the Chinese (CN) and Global (e.g., EU) Android OS distributions from the same OS developers. They discovered that the number of preinstalled third-party apps on CN OS distributions is 3 to 4 times larger than for the corresponding Global OS distribution and that these are given 8 to 10 times as many permissions as third-party apps in Global distributions.

“Overall, our findings paint a troubling picture of the state of user data privacy in the world’s largest Android market, and highlight the urgent need for tighter privacy controls to increase the ordinary people’s trust in technology companies, many of which are partially state-owned.” reads the paper published by the experts.

could easily lead to the persistent tracking of users and the easy unmasking of their identities.

The experts measured the network traffic generated by the devices when in-use by a privacy-aware consumer, who opts out of analytics and personalization, does not use any other optional third-party services or any cloud storage, and has not set up an account on any platform of the OS distribution developer.

The researchers discovered major differences in terms of how privacy provisions are enforced in different regions.

In China, phone numbers are registered under a citizen ID, which means that was possible to link the device to the real identity of the owners.

Chinese manufacturers have yet to comment on the research.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android mobile devices)

Apple backported patches for CVE-2022-42856 zero-day on older iPhones, iPads

Apple has backported the security updates for the zero-day vulnerability CVE-2022-42856 to older iPhones and iPads.

On December 2022, Apple released security updates to address a new zero-day vulnerability, tracked as CVE-2022-42856, that is actively exploited in attacks against iPhones.

The IT giant released security bulletins for iOS/iPadOS 15.7.2, Safari 16.2, tvOS 16.2, and macOS Ventura 13.1. Apple addressed the vulnerability with improved state handling for the iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

The CVE-2022-42856 flaw is a type confusion issue that impacts the WebKit browser engine, an attacker can exploit the bug when processing specially crafted content to achieve arbitrary code execution.

“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.” reads the advisory published by Apple. “A type confusion issue was addressed with improved state handling.”

The vulnerability was reported by Clément Lecigne of Google’s Threat Analysis Group. At this time there are no public details about the attacks exploiting the vulnerability.

Apple this week has backported the security updates for the CVE-2022-42856 issue to older iPhones and iPads.

To secure older devices against attacks exploiting the above issue, Apple released iOS 12.5.7. The patches are now available also for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

On December 14, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities Catalog and ordered federal agencies to address it by January 04, 2022

The company addressed the zero-day bug with improved state handling for the following devices: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

[adrotate banner=”5″]

[adrotate banner=”13″]

Two flaws in Samsung Galaxy Store can allow to install Apps and execute JS code

Researchers found two flaws in Samsung Galaxy Store that could be exploited to install applications or achieve code execution on the devices.

Researchers from cybersecurity firm NCC Group published technical details on two vulnerabilities, tracked as CVE-2023-21433 and CVE-2023-21434, in Samsung Galaxy Store that could be exploited to install applications or execute malicious JavaScript code.

The vulnerability CVE-2023-21433 is an improper access control that can allow local attackers to install apps from the Galaxy App Store.

“It was found that the Galaxy App Store has an exported activity which does not handle incoming intents in a safe manner. This allows other applications installed on the same Samsung device to automatically install any application available on the Galaxy App Store without the user’s knowledge.” reads the advisory published by NCC Group.

It should be noted that due to the changes made to Android 13,

The experts pointed out that this vulnerability only impacts Samsung devices that are running Android 12 and below.

The second flaw, tracked as CVE-2023-21434, is an improper input validation issue that could allow a local attacker to execute JavaScript code by launching a web page.

“It was found that a webview within the Galaxy App Store contained a filter which limited which domains that webview could browse to. However, the filter was not properly configured, which would allow the webview to browse to an attacker-controlled domain,” NCC Group continues.

An attacker can trigger the issue by tricking victims into either tapping a malicious hyperlink in Google Chrome or a pre-installed rogue application on a Samsung device that can bypass Samsung’s URL filter and launch a webview to an attacker controlled domain.

The advisory also includes proof-of-concept (PoC) code for both issues.

NCC Group reported the issues to Samsung in November and December 2022, the vulnerabilities were addressed in Galaxy Store version 4.5.49.8.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Samsung)

[adrotate banner=”5″]

[adrotate banner=”13″]

1.7 TB of data stolen from digital intelligence firm Cellebrite leaked online

1.7 TB of data stolen from Cellebrite, a digital intelligence company that provides tools for law enforcement, were leaked online.

The Israeli mobile forensics firm Cellebrite is one of the leading companies in the world in the field of digital forensics, it works with law enforcement and intelligence agencies worldwide.

One of the most popular services provided by the company is the UFED (Universal Foresenic Extraction Device) which is used by law enforcement and intelligence agencies to unlock and access data on mobile devices.

Hacktivists argued that the tools have been used in the past against journalists, activists, and dissidents around the world.

Many reports [1, 2, 3, 4] claim the technology provided by Cellbrite was used by government to spy on journalists and citizens, violating human rights. Cellebrite has to be aware of the human rights violations of its customers, human rights advocated remarks the company has the responsibility to carry out due diligence on its government clients and monitor misuse of its technology.

The company then became the target of activists and animated whistleblowers.

The data of the Israeli company and of another Swedish forensics firm, MSAB, have been leaked online by the Enlace Hacktivist collective, with the support of a whistleblower, and later through the DDoSsecret platform

“Jan 13, 2023: An anonymous whistleblower sent us phone forensics software and documentation from Cellebrite and MSAB. These companies sell to police and governments around the world who use it to collect information from the phones of journalists, activists, and dissidents.” reads the announce published by Enlace Hacktivist on its page. “Both companies’ software is well documented as being used in human rights abuses[1][2][3] The leaks are available for download as torrents or direct download”

The archive shared by the archivist via Torrent includes the entire Cellbrite suite, along with a huge trove of file used for the localization of software, and technical guides for customers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cellebrite)

[adrotate banner=”5″]

[adrotate banner=”13″]