At a glance.
- Private messaging app Whisper may have exposed users' content.
- Banjo may have scraped social media through a subsidiary.
- A COVID-19 tracking app is booted from Google Play.
- Alleged proprietor of DEER[.]IO criminal souk arrested in New York.
- A look at what identity thieves actually do with stolen identities.
Whisper was actually shouting, apparently.
Whisper, a messaging app designed to be, and marketed as, a private place to share intimate thoughts, feelings, desires, and so on, inadvertently left years of content exposed. Researchers told the Washington Post that the data exposure enabled them to access some nine-hundred-million records going back to 2012 and continuing to the present. The content, much of it by design confessional, was linked to the "user’s stated age, ethnicity, gender, hometown, nickname and any membership in groups," but not to the users' actual names. MediaLab, which owns Whisper, disputes the report, saying what the researchers found was “a consumer facing feature of the application which users can choose to share or not share.”
Banjo may have been scraping social media through a subsidiary.
Banjo, the artificial intelligence firm that's working with police (most famously in the US state of Utah, but elsewhere as well) is reported by Vice to have established, used, and then rolled up a quiet subsidiary, Pink Unicorn Labs, that created apps designed to scrape social media, apparently without the users' knowledge or consent.
Geolocation plus Coronavirus plus Tehran contractor will get you kicked out of Google Play.
Google has removed an app, AC19, from the Play store. Developed on behalf of the Iranian government, and deployed by Tehran, AC19 is described as an app that tracks, COVID-19 coronavirus infections. Four things made Google skittish about AC19:
- It collects user geolocation data.
- It was developed by Smart Land Strategy, which has a reputation as a contractor for Tehran's security services. The company was involved in creating the Telegram clones Gold Telegram and HotGram, both of which were ejected from Google Play last spring on suspicion of secretly collecting user information.
- Its description appeared to claim that it could test people for COVID-19, which no simple Android app to do.
- It has to do with the coronavirus, and that's a red flag given current concerns about misinformation and disinformation.
But AC19 may be innocent, at least in general. ZDNet cites an ESET researcher to the effect that he found no signs of malicious activity on the app’s part. It requests user location data in the same overt way many other innocent Android apps do, and in any case the location of an infected person is a reasonable bit of public health data. Some Iranian dissidents who asked to remain anonymous for their own safety did tell ZDNet that they thought Tehran was playing a long game, getting people to download a tracking app during a period of crisis that the users would be inclined to leave in place even after the crisis had passed. In the short run, however, it’s not clear that AC19 is anything other than what it claims to be. The app is still available in third-party stores. But it won’t test anyone for COVID-19 or anything else.
Alleged black marketeer arrested.
US authorities have arrested Kiril Viktorovich Firsov on charges related to his alleged operation of the DEER[.]IO black market souk, ZDNet reports. The FBI picked Mr. Firsov up at New York’s Kennedy Airport this past Saturday. He’s charged with two counts related to aiding and abetting fraud through the site, which has been in operation since 2013. DEER[.]IO sells access to storefronts on its platform, and those storefronts are generally used to offer the sorts of wares criminal hackers sell--compromised or stolen credentials, personally identifiable material used for identity theft, hacking services, and so forth. On March 4th the FBI made a buy of about eleven-hundred gamer accounts from one of DEER[.]IO’s storefronts, confirmed their illegal provenance, and so obtained their warrant. The Bureau says it’s found no legitimate businesses operating in DEER[.]IO, and many of its customers offerings represent a clear threat to victims' privacy.
A DEER[.]IO admin, believed to be Mr. Firsov, explained the business to ZDNet back in 2016: "Deer[.]io works according to the laws of the Russian Federation. Our clients can create shops that do not violate the laws of the Russian Federation. We block shops that sell drugs/stolen bank accounts. We will also block any shop if requested by Roskomnadzor or the competent authorities of the Russian Federation."
What an identity thief actually does with a stolen identity.
A North Carolina man's identity was stolen by parties unknown who used it to create a PayPal account that was employed to buy access to a database of leaked personal information. The unknown criminal then used the data in a prolonged effort to pretend to be country singer Kenny Chesney. The False-Chesney contacted various women in the hope of inveigling them into sending racy photographs. What success the criminal had is unclear from the Daily Beast’s account, but the arbitrariness of the initial identity theft is unsettling. The victim was initially a person of interest to the FBI, which confiscated his devices for two weeks before returning them upon realizing that they had the wrong guy. The victim, an innocent math teacher, told the Beast that “It could’ve been anyone who got my information from an envelope or anybody who ever had my name and address.”