July 7, Help Net Security – (International) Flaw allows hijacking of professional surveillance AirLive cameras. Engineers from Core Security discovered vulnerabilities in AirLive’s surveillance cameras in which an attacker could invoke computer-generated imagery (CGI) files without authentication or utilize backdoor accounts to execute arbitrary operating system commands, possibly allowing the attacker to see camera’s transmission stream and compromise network devices. Source
July 6, Threatpost – (International) Fraudulent BatteryBot Pro app yanked from Google Play. Google pulled a malicious spoof of the Android BatteryBot Pro app from its Play service after Zscaler researchers discovered that the app requested excessive permissions from users in an attempt to gain full control of affected devices, supposedly to download and install other malicious Android packages and profit from click fraud, ad fraud, and SMS fraud. Once the app is granted admin privileges, it is impossible to uninstall. Source
July 6, Help Net Security – (International) Old MS Office feature can be exploited to deliver, execute malware. A researcher reported a vulnerability in Microsoft Office in which its Object Linking and Embedding (OLE) Packager could be leveraged to deliver malicious executable files embedded in Office documents without triggering security software. Source
July 7, Help Net Security – (International) Hackers targeting users of Barclays, Royal Bank of Scotland, HSBC, Lloyds Bank and Santander. Security researchers from Bitdefender warned of a malicious phishing scheme targeting financial users of banks worldwide, including Bank of America, Citibank, Wells Fargo, JP Morgan Chase, and PayPal in the U.S., in which spam servers are distributing emails directing users to download an archive containing a downloader for the Dyreza banking trojan. The three-day campaign has so far distributed 19,000 emails worldwide. Source