Hello, welcome to the Tuesday, April 2nd, 2019 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Orich, and I'm recording from Jacksonville, Florida.

We've got a quick diary today by DDA with a common false positive that people run into analyzing PDFs created with

open office or Libra office. These PDFs commonly do include an open action. Now this open

action is often found in malicious PDFs because it is then used to execute

JavaScript that's embedded in the PDF.

In the case of Open Office, this is however not the case, the open action is used to just

display the first page at the right zoom level. This is in line with

the PDF standard and the DA has next served from the particular PDF documentation. And Google

released an update for Android.

This update does fix two critical vulnerabilities in the media framework, a high one in

framework, and then another eight high severity vulnerabilities in system.

The high severity vulnerabilities typically allow for approach escalation while the

two critical vulnerabilities in media framework do allow for remote code execution. And of course

you may have to wait for your carrier to offer these patches for you. They do affect Android 7.0 through 9.

Talking about Android, some pretty ingenious Android Malver apparently is making the rounds in Asia.

In this particular case, the Android application is interfering with calls to specific phone

numbers. The way this application apparently has been used is that after a user installed

it on their phone, typically assuming that it is actually a valid application from their bank. If the victim now is

making a voice call to the bank's official phone number, this call is actually rerouted to the attacker.

This of course now gives the attacker the chance to be very plausible and believable because the victim

thinks that they did what they were supposed to.

...