The April 2021 Android security bulletin published this week by Google describes more than 30 vulnerabilities in the mobile operating system, including a remote code execution flaw in the System component. Tracked as CVE-2021-0430 and affecting Android 10 and 11, the code execution vulnerability is deemed critical severity. The bug was patched as part of the 2021-04-01 security patch level. “The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains in its advisory. Five other vulnerabilities were addressed in the System component: three elevation of privilege and two information disclosure issues. All of these feature a severity rating of high. The 2021-04-01 security patch level also brings patches for 12 other high-severity vulnerabilities: nine in the Framework component (seven elevation of privilege and two information disclosure bugs), and three in the Media framework (one elevation of privilege and two information disclosure issues). The second part of this month’s set of patches, which arrives on devices as the 2021-04-05 security patch level, includes fixes for 18 vulnerabilities, in System (two high-severity bugs), Kernel components (two high-severity flaws), MediaTek components (one high-severity issue), Qualcomm components (one high-severity bug), and Qualcomm closed-source components (one critical and 11 high-severity vulnerabilities). This week, Google also announced new security patches for Pixel devices, which include fixes for three vulnerabilities in Framework (two elevation of privilege flaws) and Qualcomm components. All three feature severity ratings of moderate. Devices running a security patch level of 2021-04-05 or later have fixes for all of the issues associated with this security patch level, as well as with previous patch levels. On Pixel devices, a security patch level of 2021-04-05 addresses all vulnerabilities in the April 2021 and previous Pixel security bulletins as well.

The use of cookies to track where people go, what they do, and what they buy online was always a focus of many privacy activists. The online giant, however, said its "Sandbox" program would still assist advertisers in delivering targeted messages. Google announced that it has made progress in phasing out third-party cookies on its search website in an effort to boost online privacy. What happened? Google plans to end its support for third-party tracking features from its Chrome internet browser. The feature was often used by businesses to track people's online activities. However, it is a steady process that may take two years. The online giant, however, said its "Sandbox" program would still assist advertisers in delivering targeted messages. 2.

The vulnerability only affects the devices that are running iOS 12 or later versions. The security flaw has a CVSS score of 9.8. Google Project Zero security researchers have published technical details on the critical iMessage vulnerability that was addressed last year. Tracked as CVE-2019-8641, the vulnerability is considered ‘critical’ and has a CVSS score of 9.8. The vulnerability only affects the devices that are running iOS 12 or later versions. It could be exploited by a remote attacker to cause unexpected application termination or arbitrary code execution.

The new threat group impersonates company CFOs, requesting an updated aging report from companies' financial department staff. There should be a multi-layered approach to email security to prevent scams by impersonation. A hacker group called Ancient Tortoise was reportedly found targeting accounts receivable specialists for hoodwinking them into obtaining information on customers via aging reports. What is an aging report? An aging report is a collection of outstanding invoices of users that help a company's financial department keep track of unpaid bills of customers for the goods or services bought on credit. Attackers’ trick Researchers at Agari Cyber Intelligence Division (ACID) have revealed Ancient Tortoise’s intent to scam customers after collecting their information using aging reports from organizations. The new threat group would impersonate a company's CFO requesting the specialist an updated aging report altogether. By not asking the employee to change payment accounts, in the beginning, is a tactic to win the trust first. The attackers also mimic the names and free email accounts of the firm's CFO to further strengthen their hoax.