Information Technology

Man use smart phone and holding credit card with shopping online. Online payment concept.
Getty Images/iStockphoto
A British security researcher has proven this week that it is still possible in 2020 to create older-generation magnetic stripe (magstripe) cards using details found on modern chip-and-PIN (EMV) and contactless cards, and then use the cloned cards for fraudulent transactions.
In a whitepaper named “It Only Takes A Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem,” Leigh-Anne Galloway, Head of Commercial Security Research at Cyber R&D Lab, tested modern card technologies from 11 banks from the US, the UK, and the EU.
Galloway discovered that four of the 11 banks still issued EMV cards that could be cloned into a weaker magstripe version that could be abused for fraudulent transactions.

Image: Cyber R&D Lab
Under normal circumstances, this should not be possible. EMV cards were designed to be hard to clone, primarily due to the secure chip included with each one.
However, Galloway’s whitepaper explains in a step-by-step guide on how to take data from an EMV card and create an older-generation magnetic stripe clone.

This technique — of cloning a magstripe version from an EMV card — is not new and has been documented as far back as 2007.

I demonstrated cloning from chip data to magstripe but the banks said that cards issued after 2008 would not be vulnerable and chip data would be “useless to the fraudster”. This new research shows that the problem still has not been fixed, 12 years on https://t.co/6VX8n84hDb
— Steven Murdoch (@sjmurdoch) July 10, 2020

Cloning magstripes from EMV data is, in fact, the way how many carding gangs still operate today.
Crooks use skimmer or shimmer devices to collect data on EMV cards, they create a magstripe clone, and then they use this clone to make fraudulent transactions at Point-of-Sale (POS) systems or withdraw money from ATMs in third-world countries where EMV cards have not been rolled out and magstripe cards are still accepted.
Banking industry still slow to adopt proper security practices
In her whitepaper, Galloway explains why this is still possible.
“First, the commonalities between magstripe and EMV standards for chip inserted and contactless mean that it’s possible to determine valid cardholder information from one technology and use it for another,” Galloway said.
“Secondly, magstripe is still a supported payment technology, likely because the adoption of chip-based cards has been slow in some geographic regions around the world.
“Third, although magstripe is a deprecated technology in many of the countries tested, cloned data is still effective because it is possible to cause the terminal and card to fallback to a magstripe swipe transaction,” the researcher added.
“Finally, card security codes, a critical point of card verification, are not checked at the time of the transaction by all card issuers.”
This last point is the more significant issue. As Galloway pointed out in a conversation on Twitter with this reporter, card security codes (CSC, CVV, or CVC values printed on a card) should be unique per technology and should always be validated.

The card security code (cvv etc) should actually be unique to the method: chip/nfc/mag stripe. The main point is that issuers do not correctly validate transaction data as a result skimmers and fraud are still big business
— Leigh-Anne Galloway (@L_AGalloway) July 9, 2020

While banks don’t have full control of what card/payment technologies are supported in other countries, and they’ll still have to support older technologies for legacy purposes, they have the power to verify transactions correctly.
However, as Steven Murdoch, Research Fellow at University College London, also pointed out on Twitter, the reality is that banks still fail to enforce this simple rule, even now, in 2020.
Transactions are still approved with the wrong security code, from another card technology, and even without it. By not properly verifying security codes, this leaves the door open for carding gangs to continue to operate by copying and downgrading the newer EMV cards into magstripe clones to abuse overseas, in countries where magstripe cards are still accepted.

Back in 2007, UK issued cards had an exact copy of the magstripe on the chip. From 2008 cards were supposed to have a different CVV between the magstripe and the chip. However this new security feature is pointless if magstripe transactions with the wrong CVV are accepted!
— Steven Murdoch (@sjmurdoch) July 10, 2020

The card security code (cvv etc) should actually be unique to the method: chip/nfc/mag stripe. The main point is that issuers do not correctly validate transaction data as a result skimmers and fraud are still big business
— Leigh-Anne Galloway (@L_AGalloway) July 9, 2020

Galloway said that while the whitepaper focused on EMV cards, contactless (NFC-based) cards can also be abused in the same way to create magstripe clones to be abused for fraudulent transactions. More

Online retail giant Amazon has told employees this week to uninstall the TikTok mobile app from the smartphones they use to access Amazon’s internal email servers.
According to an email sent to employees today, and seen by ZDNet, workers have until July 10 to remove the TikTok app from their devices.
The email cited a “security risk” to using the TikTok app, but didn’t go into details. The email’s full text is available below:
“Due to security risk, the TikTok app is no longer permitted on mobile devices that access Amazon email. If you have TikTok on your device, you must remove it by 10-Jul to retain mobile access to Amazon email. At this time, using TikTok from your Amazon laptop browser is allowed.”
An Amazon spokesperson did not immediately respond to a request for comment.

In recent months, privacy and security experts have accused the TikTok app of collecting extensive swaths of user information from the devices it was installed — according to reverse engineers who posted their findings on Reddit, and mobile security firm Zimperium.
Many have accused the Chinese app — without proof — of collecting information from users and passing it to the Chinese government.
Although never proven, these accusations have created a general panic and weariness around the app, especially when used by officials and other high-value individuals.
As a result of these accusations, since last year, TikTok has been banned by the US military, the Indian government, and the Indian army, just to name a few. More

Researchers have disclosed a set of serious security issues in a smartwatch tracker used in applications including services designed for the support of the elderly and vulnerable.

On Thursday, cybersecurity experts from Pen Test Partners disclosed security problems found in the SETracker service, software geared towards children and the elderly — especially those with dementia or individuals that need reminders to complete daily tasks, such as taking their medication. 
The GPS tracker app can be used in tandem with a smartwatch by carers to find their charges, and in turn, wearers can use the system to make a call if they need help. 
See also: Researchers connect Evilnum hacking group to cyberattacks against Fintech firms
Chinese developer 3G Electronics’ SETracker app, required to use the watches, is available on iOS and Android and has been downloaded over 10 million times. 

However, security flaws in the product meant that it was not only carers or loved ones that could keep track of a wearer’s movements or activities. 
The vendor’s software, of which there are now three mobile app varieties, is often used in the backend of cheap smartwatches on offer from a variety of brands. SETracker is also found in headsets and in the automotive software industry. 
According to Pen Test Partners, the first major security issue was the discovery of an unrestricted server to server API. The server could be used to hijack the SETracker service in ways including, but not limited to, changing device passwords, making calls, sending text messages, conducting surveillance, and accessing cameras embedded in devices.
If a monitor’s backend system is based on SETracker, it was possible to send fake messages including “TAKEPILLS” commands, which are set up to remind wearers to take their medication. 
“A dementia sufferer is unlikely to remember that they had already taken their medication,” the researchers noted. “An overdose could easily result.”
CNET: China aims to dominate everything from 5G to social media — but will it?
The researchers also came across the software’s source code, which was accidentally made publicly available via a compiled node file hosted online as a backup without protection. 
Server-side code, MySQL passwords, email, SMS, and Redis credentials, and a hard-coded password in the source code — 123456 — were available to view. A database containing user images was also open to abuse. 
“The source code indicated that this bucket was where ALL the pictures taken by devices are sent. We have not confirmed that,” Pen Test Partners says. “Given the use case of these devices is predominately children’s trackers it is extremely likely these images will contain images of children.”
TechRepublic: Highest-paying tech jobs: Where to find them
It is not known if any of the security issues have been exploited in the wild. 
Pen Test Partners disclosed its findings to 3G Electronics on January 22. The vendor did not respond until February 12. Triage then followed with the disclosure of the server API vulnerabilities on February 17, which was then fixed a day later. 
On May 20, the researchers reported the node file issue to the vendor, and on May 29, 3G Electronics confirmed that the file had been removed and all passwords had been changed. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A reflected cross-site scripting (XSS) vulnerability impacting 100,000 websites has been patched in the KingComposer WordPress plugin. 

KingComposer is a drag-and-drop page builder for WordPress-based domains that removes the need to program or directly code websites powered by the content management system (CMS). 
See also: Researchers connect Evilnum hacking group to cyberattacks against Fintech firms
The Wordfence Threat Intelligence team discovered the XSS bug on June 25. Tracked as CVE-2020-15299 and issued a severity score of 6.1, the security flaw was found in Ajax functions used by the plugin to facilitate page builder features. 
One of the Ajax functions was not in active use but could still be launched by sending a POST request to a script called admin-ajax.php with an action parameter set to kc_install_online_preset.

The function renders JavaScript across a variety of parameters that are then base64-decoded. 
“As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim’s browser,” the researchers say. 
CNET: China aims to dominate everything from 5G to social media — but will it?
Reflected XSS vulnerabilities rely on a victim to perform a particular action to trigger an attack. This can be achieved by serving malicious links that need to be clicked on, for example, and if successful, could lead to browser session hijacking or malware download and execution. 
The Wordfence Threat Intelligence team attempted to contact the developers of the plugin a day after their discovery. However, there was no response, leading to the team reaching out directly to the WordPress Plugins team on June 25. By June 26, contact was made with the KingComposer developers and a patched version of the plugin, version 2.9.5, was released on June 29. 
TechRepublic: Highest-paying tech jobs: Where to find them
The security issue was resolved by removing the vulnerable, and obsolete, Ajax function.
At the time of writing, 62.1% of users have updated to version 2.9.5, and so 37.9% of websites with KingComposer enabled are still at risk of exploit.  

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

As Singapore ramps up efforts to drive digitalisation across the local community, its government will need to transform the way it governs its population, which increasingly will access more information and demand answers as more of their personal data goes online. A change in mindset will also be necessary to ensure policies remain relevant and are truly adapted to a new digital economy and digital population. 
Singapore over the past several years has invested significant resources towards becoming a digital economy, rolling out an ambitious smart nation roadmap, driving the adoption of emerging technologies, and overhauling its own ICT infrastructure. 
With the global pandemic now adding new impetus to digital transformation, the government has made a concerted effort to drive digital adoption deeper into the business community and local population. 

Singapore must look beyond online falsehood laws as elections loom
Country’s government is missing the point with its use of correction directives, when it should be looking more closely at how the legislation can be used to address bigger security threats as it prepares for its first elections since the emergence of technology, such as deepfake, and increased online interference.
Read More

It established a new office to work alongside the business community and local population to push the “national digitalisation movement”. Initiatives would include the deployment of 1,000 “digital ambassadors” to help stallholders and seniors go digital and setting up of 50 digital community hubs across the island to offer one-to-one assistance on digital skills.
A new ministerial committee will also coordinate the country’s digitalisation efforts and focus on priorities such as assisting people in learning new skills and galvanising small businesses to go digital. More funds and resources have been further directed to facilitate digital transformation initiatives.

However, amidst the renewed urgency to go digital, the government has seemingly overlooked the need to also review how it engages and governs a population that will increasingly be connected and, as it hopes, digitalised.
Take its recent plans for a COVID-19 contact tracing wearable device, for instance. When news about its development broke, several took to social media platforms to decry the potential invasion of their privacy and an online petition urged the public to reject its use. The outcry prompted the government to reveal more details about the device in hopes of easing privacy concerns, adding that its use would not be made mandatory — for now, at least. Some 10,000 units of the wearable device have since been distributed to the country’s elderly. 
But while it has taken the time to explain its position and development of contact tracing tools, the Singapore government appears less patient when it involves other voices critical of its policies. 
Specifically, it has used the Protection from Online Falsehoods and Manipulation Act (POFMA) against several of its political opponents, issuing five correction directions — four of which involved politicians or political platforms that opposed the government — within a month after the legislation kicked in last October. The fifth was issued to Facebook after the author of the alleged falsehood refused to comply with the original correction direction. 
Multiple correction orders were issued this past week alone, as candidates went on their campaign trail for the country’s July 10 General Elections. 
In dismissing early concerns POFMA would be used to silence critics of the government, Singapore’s Minister for Communications and Information S. Iswaran said in May last year that similar concerns were raised when the class licensing scheme was introduced under the Broadcasting Act in 1966. But since then, Iswaran had noted, industry regulator Infocomm Media Authority (IMDA) had issued 39 take-down notices or just more than one incident a year, on average. 
So, is there now real cause for Singaporeans to worry about POFMA? This question will be increasingly relevant as the government’s digitalisation efforts pick up momentum and more go online and, correspondingly, begin airing their personal thoughts on social media and other online platforms, including statements that might be deemed to be falsehoods.
How many more POFMA directives then may be issued? Will the POFMA Office be able to keep up?
In addition, as more come online along with their personal data, more questions will be asked about why the government needs to collect citizens’ personal information, how it plans to use this data, and what recourse will citizens have should their data be breached while in the care of their government. 
More transparency as well as accountability will be required on the government’s part, especially as emerging technologies such as artificial intelligence (AI) and facial recognition advance and become real-world reality. Without transparency, there is no trust. And without trust, as the government itself knows, it will be difficult to drive the adoption of technologies such as AI amongst the general population. 

Can Singapore.com be regulated on trust?
Singapore government asks public to trust its track record of not using regulation as a form of online censorship, but shouldn’t it also trust news sites to behave responsibly instead of introducing more rules?
Read More

In explaining why trust underpinned everything, whether it was data or AI, Iswaran himself had said: “Ultimately, citizens must feel these initiatives are focused on delivering welfare benefits for them and ensured their data will be protected and afforded due confidentiality.”
However, it can be difficult to convince Singaporeans their data is truly protected — and afforded due confidentiality — when this data isn’t managed under the same Personal Data Protection Act (PDPA), which safeguards data held by the private sector, when it is used and managed by the public sector. 
While the government has argued that this exemption is necessary to facilitate the smooth delivery of public services, and that government agencies are still accountable for the protection of citizen data, the fact remains that different laws are applied here. And as far as citizens’ personal data is concerned, this optic can stir up public scepticism and distrust — whether warranted or not. 
In its desire to drive digitalisation nationwide, Singapore’s government has to realise a mindset change will also be required in the way it governs and engages its population. 
If it fails to do this, it risks going the way of business transformation plans that neglected the importance of including leadership reform in its change management strategy.
After all, the key word in digital transformation isn’t digital, but transformation. 
And the reality is that 70% of large-scale transformation initiatives fail, often due to a lack of employee engagement and insufficient leadership support. Ensuring the long-term success of such projects also requires a major “reset in mindsets and behaviours”, something which few leaders are able to achieve, according to a McKinsey report.
The consulting firm underscored the need to “upgrade the organisation’s “hard wiring” because a digital environment not only required new ways of working, but also changes to the organisation’s overall culture. Leaders, too, needed to let go of old practices such as command-and-control supervision.
For the Singapore government, this may mean recognising that criticism against its policies and officers isn’t necessarily a manifestation of a “trial by internet” culture. Sometimes, it simply reflects a desire amongst citizens who genuinely care about the country and want to see the nation correct its wrongs. 
This is further demonstrated by the fact that some of these commentators no longer hide behind the anonymity of the internet and are willing to speak publicly under their true identity. It is reflective of an online community that has evolved and matured, and is deserving of a government that is willing to do the same.
Should the government resist change within its own ranks, it risks alienating its citizens and may end up with a disengaged population. 
In stressing the importance of strong leadership in digital transformation, consulting firm Deloitte states: “It is not enough to simply command that an organisation become more digital. The transformation must be driven by a shift in the leadership culture and people’s willingness to adapt and evolve. At a leadership level, this requires individuals who embrace uncertainty, who can connect across boundaries, who can visualise new possibilities, and who can ignite others behind an exciting vision for the future. Looking for these adaptable traits in your leadership is critical to facilitating the organisation’s adaptation to disruption.”
As its voters head to the polls today, a question begs to be asked: Is Singapore ready for a digital population?
RELATED COVERAGE More

The Office of the Australian Information Commissioner (OAIC) has made available the outcomes of its latest privacy complaint investigations, including a determination made against Services Australia.
In the complaint against the CEO of Services Australia, Australian Information and Privacy Commissioner Angelene Falk found that the federal government department interfered with the complainant’s privacy as defined in the Privacy Act 1988 by breaching one of the guiding privacy principles.
Specifically, the department disclosed the complainant’s personal information in breach of privacy principle 11.
Australian Privacy Principles (APP) 11 requires an APP entity to take active measures to ensure the security of personal information it holds, and to actively consider whether it is permitted to retain personal information.
The entity must also take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification, or disclosure; and they must take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for any purpose for which the personal information may be used or disclosed under the APPs.

However, this requirement does not apply where the personal information is contained in a Commonwealth record or where the entity is required by law or a court/tribunal order to retain the personal information.
In her declaration, Falk said she found that Services Australia engaged in conduct constituting an interference with the privacy of the complainant; and must pay the complainant AU$3,000 for non-economic loss caused by the interference with the complainant’s privacy within 60 days of the date of determination. The determination was made on 30 June 2020.
See also: Robo-debt: Minister claims the government is not built for refunds
The complainant’s grievance relates to the collection of her personal information by the former Child Support Agency (CSA) and former department administering child support, and subsequent disclosure to the complainant’s ex-partner in 2012. Services Australia now administers child support.
As explained by the OAIC, the complainant applied to CSA for a change of assessment to the amount of child support paid by her ex-partner. On receipt of the ex-partner’s objection review application, CSA collected the complainant’s personal information from her bank, but did not notify her of that action.
The complainant applied to the Social Security Appeals Tribunal for a review of the objection decision, at which time CSA disclosed the complainant’s personal information to the Tribunal and to the ex-partner as part of the Tribunal review process.
The complainant claimed that the bank statement revealed her personal information in the form of places she frequented. The complainant added that she feared harm from the ex-partner and that she had attempted to keep her location unknown to him.
She had previously obtained a Family Violence Order against the ex-partner.
The complainant was originally seeking compensation of AU$30,000.
Other recent determinations made by Falk include the compensation of AU$3,000 to the complainant for non-economic loss and AU$2,000 for aggravated damages regarding a breach of privacy principle 12 by a psychologist; and compensation of AU$10,000 for non-economic loss and AU$3,400 for economic loss to the first complainant and AU$3000 to the second complainant for non-economic loss in a breach of a few privacy principles by a medical clinic.
RELATED COVERAGE
Services Australia’s proud achievements include answering the phone
Minister Stuart Robert talks about respect and transparency, but they require more than just answering the phone. They even require more than a personalised dashboard. They require wholesale culture change.
Australians made over 3,000 privacy complaints last year
3,306 privacy complaints were made to the Office of the Australian Information Commissioner in 2018-19 and the commissioner has finally admitted her office needs more assistance.
Australian Privacy Commissioner offers advice on staff privacy amid COVID-19
Employers given a little reminder that their Privacy Act obligations still apply, even in a global pandemic.
Accidental personal info disclosure hit Australians 260,000 times last quarter
85 cases of human error resulted in 269,621 instances of Australians having their personal information disclosed accidentally. More

The group of security companies headed by two of the country’s technology and cyber veterans, CyberCX, has announced the acquisition of Melbourne-based Basis Networks.
Basis Networks has a focus on securing mission-critical networks, with CyberCX CEO John Paitaridis saying the acquisition is aligned with his company’s strategy to accelerate the growth of its network security, managed services, integration, and engineering capability.
The startup was stood up in 2015 and provides a broad suite of cybersecurity professional services to the likes of the Australian Energy Market Operator, Australia Post, JB Hi-Fi, Bupa, and McMillan Shakespeare.
CyberCX told ZDNet that the Basis Networks team would join its venture and its co-founder and managing director Tom Allan would be assuming a senior leadership role based in Victoria upon the closure of the deal.
Completion of the acquisition is subject to a small number of conditions, including regulatory approval, which should be completed in the coming weeks. The value of the deal is undisclosed.

“We are pleased to add Basis Networks’ capabilities, experience, and customer-focused approach to CyberCX’s comprehensive security service offerings,” Paitaridis said. “Increasingly customers are looking for end-to-end solutions for their network, security, and cloud services. CyberCX is committed to working with customers to advise, build, implement and manage security solutions, we are committed to supporting organisations through the journey.”
Allan, meanwhile, said joining CyberCX was a “natural fit” for his company.
“Organisations are looking for a trusted sovereign partner to help them manage their cybersecurity risk. A combination of COVID-19 and recent targeted attacks from state-based actors reinforces the need for Australian businesses and government to urgently uplift cybersecurity capability.” Paitaridis added.
See also: Prime Minister says Australia is under cyber attack from state-based actor
“Corporate networks represent a key vulnerability for Australian businesses, especially with a large proportion of the economy engaged in remote working. Basis Networks’ reputation for providing highly secure network infrastructure and cloud solutions will strengthen CyberCX’s position as Australia’s leading cybersecurity service provider.”
CyberCX, formed in October 2019 and backed by private equity firm BGH Capital, brought together 12 of Australia’s independent cybersecurity brands: Alcorn, Assurance, Asterisk, CQR, Diamond, Enosys, Klein&Co., Phriendly Phishing, Sense of Security, Shearwater, TSS, and YellIT.
It is headed by Alastair MacGibbon, former head of the Australian Cyber Security Centre (ACSC) and once special adviser on cybersecurity to former Prime Minister Malcolm Turnbull, as well as Paitaridis, who was formerly Optus Business’ managing director.
The Basis Networks acquisition follows CyberCX recently scooping up another Melbourne-based cybersecurity specialist startup Identity Solutions.
RELATED COVERAGE
Newly formed CyberCX scoops up two of Australia’s cyber heavyweights
Former Optus Business MD John Paitaridis and government cyber veteran Alastair MacGibbon join the new company backed by private equity firm BGH Capital.
CyberCX floats government loans to help startups comply with open banking
Instead of resorting to ‘screen scraping’ or rule dilution, CyberCX said it would be preferable if government assisted smaller organisations in meeting the highest level of compliance instead.
Seeking diversity in Australia’s intelligence and cybersecurity workforce
As analysts call for a review of Australia’s intelligence agency staffing, aimed at increasing diversity, CyberCX sets up a cyber scholarship for women. More

Google announced plans this week to ban ads that promote stalkerware, spyware, and other forms of surveillance technology that can be used to track other persons without their specific consent.
The change was announced this week as part of an upcoming update to Google Ads policies, set to enter into effect next month, on August 11, 2020.
Examples of products and services that advertisers won’t be able to promote via Google Ads anymore include:
Spyware and technology used for intimate partner surveillance including but not limited to spyware/malware that can be used to monitor texts, phone calls, or browsing history;
GPS trackers specifically marketed to spy or track someone without their consent;
Promotion of surveillance equipment (cameras, audio recorders, dash cams, nanny cams) marketed with the express purpose of spying.
Google said that private investigation services or products designed for parents to track or monitor their underage children are not banned under this new policy and will still be allowed to be advertised on its platform.
Offenders who promote stalkerware will receive a seven-day warning, after which they’ll be banned if they don’t remove the offending ads.
Fight against stalkerware is picking up

Google’s crackdown against stalkerware ads comes after the antivirus industry has banded together to add detections for stalkerware products in their virus scanning engines.
After improving their products, antivirus companies, along with several domestic abuse frontline organizations, also founded the ‘Coalition Against Stalkerware’ in November 2019, as the first global initiative of its kind, set up to raise awareness of the growing threat of stalkerware.
For those unfamiliar with the terms, stalkerware is a form of malware that is part of the larger spyware class.
Stalkerware refers to spyware apps specifically designed for couples that abusive partners install on the devices of their loved ones without their knowledge or consent — hence why stalkerware is also sometimes referred to as spouseware.
Stalkerware use has skyrocketed over the last decade due to the proliferation of mobile smartphones, as it allows jealous partners to keep tabs on their partners at all time just by tracking their phone.
Furthermore, the easy availability of stalkerware products on official app stores has also increased the visibility of these products and opened their reach to millions of potential users.
While Google, Apple, antivirus makers, and the FTC have cracked down on some of these apps, they have not gone away for good, but are actually more popular than ever.
According to statistics gathered by antivirus vendor Kaspersky, the number of users who had stalkerware-like apps installed on their Android devices rose from 40,386 devices detected in 2018 to more than 67,500 in 2019.
The good news is that according to independent antivirus testing lab AV-Comparatives and the Electronic Frontier Foundation, detections rates for stalkerware applications on Android and Windows devices have slowly improved, as the issue is gaining more press coverage and security vendors are moving in to address their growing risk.
By limiting the visibility of stalkerware products on its advertising platform, Google has helped take some of the traffic these malicious apps are getting on their sites. More