Lost+Found: Fake apps, keyjacking and traces of Tor

Too short for news, too good to lose; Lost+Found is a roundup of useful and interesting security news. In this edition: Bad apps in sheep's clothing, keyjacking, a $20,000 Facebook hole, an exploit source, traces of Tor, and a birthday celebration.

• Hacktivists circulated a manipulated version of Jay Z's Magna Carta Holy Grail Android app that, according to McAfee, served up a very special surprise: on Independence Day last Thursday, it apparently tried to set Barack Obama's portrait as the smartphone's background picture, accompanied by the message "Yes we scan!" It also installed a corresponding "NSAListenerService".

• Symantec has discovered a "Password Wifi Hacker Plus" Android app that promises to crack encrypted Wi-Fi passwords; however, potential users are destined to fail: the app only pretends to offer cracking features – it actually shares the smartphone owner's personal details with six advertising networks.

• Clickjacking – the hijacking of mouse clicks via specially crafted web pages – isn't enough for security researcher Rosario Valotta. He's also after the user's keyboard inputs. Valotta's proof-of-concept tricks Internet Explorer users into confirming a download dialog when filling in a captcha – by activating "Run".

• Facebook accounts that were linked to a user's mobile phone could be completely taken over using SMS text message commands. Facebook paid $20,000 for the hole through their bug bounty programme.
  

• WICAR.org offers ready-to-use browser exploits that allow users to test their system security – use them at your own risk.

• Tor co-developer Runa A Sandvik looked for traces of the Tor browser bundle on various platforms and found a sizeable number of them.

• MySQL bug #20786 has just had its seventh birthday. Let's celebrate!

(sno)