data from messaging apps , snoop overAttack.Databreacha phone ’ s camera or microphone , and even erase itself . On Monday , Google and security firm Lookout disclosed the Android spyware , which they suspect comes from NSO Group , an Israeli security firm known to develop smartphone surveillance products . Fortunately , the spyware never hit the mainstream . It was installed less than three dozen times on victim devices , most of which were located in Israel , according to Google . Other victim devices resided in Georgia , Mexico and Turkey , among other countries . Users were probably trickedAttack.Phishinginto downloading the malicious coding , perhaps though a phishing attackAttack.Phishing. Once it installs , the spyware can act as keylogger , and stealAttack.Databreachdata from popular apps such as WhatsApp , Facebook and Gmail . In addition , it possesses a suicide function that ’ ll activate if it doesn ’ t detect a mobile country code on the phone -- a sign that the Android OS is running on an emulator . The surveillance features are similar to those found in Pegasus , which has also been linked with NSO Group . At the time , Lookout called the spyware the most sophisticated attack it ’ s ever seen on a device . The iOS variant exploited three previously unknown vulnerabilities to take over a phone and surveil the user . The spyware was uncovered when a human rights activist in the United Arab Emirates was found infected by it . His phone had receivedAttack.Phishingan SMS text message , which contained a malicious link to the spyware . But Lookout had also been investigating into whether NSO Group developed an Android version . To find out , the security firm compared how the iOS version compromises an iPhone and matched those signatures with suspicious behavior from a select group of Android apps . Those findings were then shared with Google , which managed to identify who was affected . However , unlike the iOS version , the Android variant doesn ’ t actually exploit any unknown vulnerabilities . Instead , it taps known flaws in older Android versions . Chrysaor was never available on Google Play , and the small number of infected devices found suggests that most users will never encounter it , the search giant said
I recently had a client getAttack.Phishingan interesting phishing message . They had receivedAttack.Phishinga fake message from their CEO to their Controller - a `` start the conversation '' email to end up with a wire transfer . This sort of email is not common , but is frequent enough in Sr Management circles , especially if you are in the middle of merger or acquisition discussions with another company . Some technical warning signs in that note were : So the discussion quickly moved from `` I 'm glad our execs came to us , we really dodged a bullet there '' to `` just how did this get in the door past our spam filter anyway ? '' Their SPAM filter does use the SPF ( Sender Policy Framework ) DNS TXT record , and a quick check on the SPF indicated that things looked in order there . However , after a second look , the problem jumped right out . A properly formed SPF will end with a `` - '' , which essentially means `` mail senders in this SPF record are valid for this domain , and no others '' . However , their SPF had a typo - their record ended in a `` ~ '' instead . What the tilde character means to this spam filter is `` the mail senders in this SPF record are valid for this domain , but YOLO , so is any other mail sender '' . From the RFC ( RFC7208 ) , the ~ means `` softfail '' , `` A `` softfail '' result is a weak statement by the publishing ADMD that the host is probably not authorized '' . More detail appears later in the RFC : `` A `` softfail '' result ought to be treated as somewhere between `` fail '' and `` neutral '' / '' none '' . The ADMD believes the host is not authorized but is not willing to make a strong policy statement . Receiving software SHOULD NOT reject the message based solely on this result , but MAY subject the message to closer scrutiny than normal. `` This same reasoning applies to the ~all and -all directives in the SPF ( which I see more often ) . You 'd think that a lot has changed since 2006 ( the date of the original SPF spec , RFC4408 ) , that in 2017 a spam filter should fail on that result , but apparently not ( sad panda ) . Kinda makes you wonder what the actual use case is for that tilde character in the definition - I ca n't think of a good reason to list permitted mail senders , then allow any and every other server too . That being said , their filter * should * still have caught the mismatch between the `` from '' and `` reply-to '' fields , especially since it involved an external source and internal domains . Or at least paired that up with the domain mismatch to weight this email towards a SPAM decision . Long story short - this type of attack was pretty popular ( and widely reported ) about a year ago , but successful methods never ( never ever ) go away . A little bit of research can make for a really well-formed phish , right down to using the right people in the conversation , good grammar , and phrasing appropriate to the people involved . So a bit of homework can get an attacker a really nice payday , especially if their campaign targets a few hundred companies at a time ( and they put more work into their email than the example above ) So in this case , a typo in a DNS record could have cost millions of dollars . Good security training for the end users and vigilant people made all the difference - a phone call to confirm is a `` must-do '' step before doing something irrevocable like a wire transfer