now browsing by tag
Apple has added a new post to its Machine Learning Journal that explains how it’s using differential privacy to protect users, even when collecting very sensitive data such as keystrokes and the sites users visit.
This type of data collection occurs when users opt in to share usage analytics from macOS or iOS, allowing Apple to collect “privatized records”.
Apple introduced differential privacy in iOS 10 in support of new data collection aimed at improving QuickType, emoji suggestions, Spotlight suggestions, and media playback features in Safari.
The system works on the basis that statistical noise can be added to data on the device before it’s shared with Apple.
The post, Learning with Privacy at Scale, is Apple’s seventh issue in its first volume on the site that goes into detail about its machine-learning projects and how they impact its products. This one offers a deeper dive into its differential privacy framework and serves to reassure users that it’s not slurping up extremely private information.
It says its approach to differential privacy on the device allows data to be “randomized before being sent from the device, so the server never sees or receives raw data”.
The records arrive at a restricted access server where IP addresses are dropped. Apple says at that point it can’t tell if an emoji record and a Safari web domain record come from the same users. Apple then converts the records into aggregate compute statistics that are shared with relevant teams at Apple.
When users opt in to share device analytics, Apple defines a “per-event privacy parameter” and limits the number of records that are transmitted by each user per day.
Users can see the reports in iOS by going to Settings Privacy Analytics Analytics Data in entries that begin with ‘DifferentialPrivacy’. Mac users can see them in the Console in System Reports. Apple also offers sample images to show users how the reports can be identified.
Apple has what it calls an ‘injestor’ where metadata such as timestamps of records is removed and the records are grouped by use case. The records are then passed to an ‘aggregator’ for statistical analysis.
The end result of all this processing is that Apple can now, for example, tell which are the most popular emojis, and in different languages, which in turn helps it improve predictive emoji on the iOS keyboard.
Apple can also identify websites that are energy and memory hogs in Safari on iOS and macOS. Apple’s browser can detect these domains and report them to Apple using its differential privacy framework.
It also helps identify the websites that users want Auto-play enabled, which Safari began automatically blocking with macOS High Sierra.
The third benefit to Apple is that can discover new words, which help it improve its on-device lexicons and autocorrect.
Previous and related coverage
Device and requests went down, but secret and classified orders spiked by more than three-fold.
Deep dive analysis: Apple says it will ‘follow the law’ wherever it does business. But questions remain over what happens — and how the company will react — when the laws fall foul of the company’s privacy promises.
Collectively downloaded millions of times, 158 fake Android applications containing mobile malware were recently found smuggled into the Google Play Store, according to a trio of separate research reports that were published within days of each other.
Researchers at McAfee did the heaviest lifting, spotting Grobas, a program that pushes unwanted apps, in 144 trojanized apps. Meanwhile, analysts at ESET identified eight apps carrying a multi-stage downloader dubbed Android/TrojanDropper.Agent.BKY, and experts at Malwarebytes found six apps sabotaged with Android/Trojan.AsiaHitGroup, which contains hidden adware and attempts to download an SMS trojan.
In all three cases, Google was alerted to the troublesome APKs and promptly removed them. However, these latest discoveries are further evidence that Google alone is not able to prevent every malicious actor from sneaking malware into its software store.
The Grabos malware that McAfee identified was found primarily in file explorer and music player applications, some of which were open source in nature. Its malicious activity includes gathering and exfiltrating a device’s specs (e.g. Android version, build model and country code), location, and configuration. It also appears to check if certain social and Google apps are installed and reports its findings to the command-and-control server.
McAfee believes such information helps Grabos create custom notifications designed to trick users into downloading and installing additional mobile software.
“Grabos gained popularity on Google Play because it allowed users to download music for free while constantly asking them to rate the app. However, users were not aware of the hidden functionality that comes with those apps, exposing them to custom notifications to download and install additional apps and open them without their consent,” states McAfee mobile malware researcher Carlos Castillo in a McAfee blog post. “Considering that Grabos also reports the presence of specific social and Google apps on infected devices, cybercriminals could use that information to deliver additional apps by tricking users into installing them using any of the notification methods implemented in the code.”
Grabos constantly analyzes the current state of the phone to determine whether it is safe to run its malicious code or execute only its legitimate functionality. When the user is not actively using the open app, and if there are no indicators that the app is running in test environment or being dynamically analyzed, then Grabos begins reaching out to its CC server. Grabos further evades analysis by updating its remote settings every 24 hours and likely dodged Google Play’s security measures by obfuscating its its injected code, Castillo explains.
To improve its odds of spreading, Grabos is also designed to ask the user to share the app with friends, promising faster download speeds in return.
Grabos was initially found in an application called Aristotle Music audio player 2017, which was reportedly downloaded between one and five million times. McAfee also found the download histories of 34 other malicious Grabos apps, which collectively were downloaded somewhere between 4.2 and 17.4 million times. One app update dates as far back as Apr. 6, 2017, but the rest were last updated between July and October. A full list of Grabos apps is available in McAfee’s blog post report.
In its own blog post, ESET reports that it discovered the downloader TrojanDropper.Agent.BKY in six fake apps called MEX Tools, Clear Android, Cleaner for Android, World News, WORLD NEWS, and World News PRO, as well as two Russian online slots apps.
According to ESET, the malicious apps behave normally on the surface, but behind the scenes they decrypt and execute a first-stage payload, which in turn activates a secondary payload. This second-stage malware then downloads a tertiary payload from a hardcoded URL, which is disguised to look like a normal program like Adobe Flash Player or an Android update. (ESET has learned that one of the malicious URL links was visited nearly 3,000 times, with most activity coming from the Netherlands.)
Five minutes later, the device owner receives a prompt to download this additional app. Once this happens, the app drops the final payload and obtains the necessary permissions for it to work. TrojanDropper.Agent.BKY is known to drop banking trojans, including MazarBot, and in some cases spyware, reports ESET malware researcher and blog post author Lukas Stefanko.
Malwarebytes found at least six Android apps containing AsiaHitGroup, including an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app. All of them was most likely added to Google Play in October and November, writes Nathan Collier, senior malware intelligence analyst, in a company blog post.
Upon analyzing the fake QR scanner app, Malwarebytes found that the malware analyzes a device’s location checks with a website that provides geo-IP services in order to determine an infected device’s location. Malwarebytes believes that it the phone is based in Asia, the malware will then download Android/Trojan.SMS.AsiaHitGroup, a trojan that intercepts SMS text messages.
AsiaHitGroup also contains another hidden APK, Android/Adware.AsiaHitGroup, which is designed to push adware on the victim.