TLS Archives

Winsage

May 6, 2026

Defender Misflags DigiCert Root Certificates, Breaking Windows SSL Trust

On April 30, 2026, Microsoft Defender misclassified two legitimate DigiCert root certificates as a severe threat, specifically Trojan:Win32/Cerdigent.A!dha, leading to their quarantine and disrupting SSL/TLS validation across affected endpoints. This misclassification was a result of new malware detections introduced by Microsoft in response to concerns over compromised certificates from a DigiCert breach. The false-positive alerts were triggered by the registry entries of the two trusted root certificates, which are crucial for validating SSL/TLS sessions. Microsoft later acknowledged the error and adjusted the alert logic. There was no actual compromise of the DigiCert certificates, as administrators confirmed that the certificate hashes matched the official values. The misclassification stemmed from a failure to properly constrain the detection to only revoked end-entity signing certificates related to a separate incident. This incident follows a pattern of Microsoft Defender misidentifying legitimate software as malicious, as seen in a 2022 incident where Microsoft Office was flagged as a virus. Organizations with restrictive update policies may continue to face SSL/TLS validation failures until they deploy the corrective Security Intelligence version or manually restore the DigiCert roots.

AppWizard

May 6, 2026

Android Apps Get Public Verification System to Stop Supply Chain Attacks

Google has launched an enhanced Binary Transparency initiative for Android to strengthen the ecosystem against supply chain attacks. This initiative builds on the Pixel Binary Transparency framework introduced in October 2021, which ensures Pixel devices operate on verified OS software through a public cryptographic log of factory images. The new initiative aims to address the increasing sophistication of binary supply chain attacks, emphasizing that a binary's digital signature alone is insufficient for guaranteeing its authenticity. Starting May 1, 2026, all production Android applications released by Google will include a cryptographic entry confirming their authenticity. This initiative covers various Google applications and provides a transparent 'Source of Truth' for users to verify the software on their devices. Google is also offering verification tools for users and researchers to confirm the transparency state of supported software types, enhancing user privacy and security.

Winsage

May 5, 2026

Unpatched flaws turn Ollama’s auto-updater into a persistent RCE vector, researchers say

Researchers at Striga have identified two vulnerabilities (CVE-2026-42248 and CVE-2026-42249) in Ollama’s Windows auto-updater that could allow an attacker to install a persistent executable that runs at user login. CVE-2026-42248 fails to properly verify signatures of downloaded content, while CVE-2026-42249 is a path traversal flaw that allows an attacker to inject malicious code into the user's Startup folder. Exploitation requires control over the update response, with potential methods including compromising the update infrastructure or redirecting the client. The vulnerabilities affect Ollama versions 0.12.10 through 0.17.5, and users are advised to disable auto-updates and remove shortcuts from the Startup folder to mitigate risks.

AppWizard

May 5, 2026

FEMITBOT Network Abuses Telegram Mini Apps for Crypto Scams and Android Malware

A fraud network called FEMITBOT has emerged, using Telegram's Mini App feature to conduct investment scams and distribute malware. Identified by the research firm CTM360, the network operates through API responses and presents itself as organized. The scams involve Telegram Mini Apps that display phishing pages, fake dashboards showing fictitious earnings, and urgency tactics to pressure users into making quick decisions. FEMITBOT mimics well-known brands like Apple and Coca-Cola to enhance credibility and disseminates Android malware disguised as legitimate applications. The operation is highly organized, utilizing marketing tools to optimize their scams. Users are warned to be cautious of bots requesting deposits before granting access to funds.

AppWizard

May 3, 2026

Telegram Mini Apps abused for crypto scams, Android malware delivery

Cybersecurity researchers have identified a fraud operation named FEMITBOT that exploits Telegram’s Mini App feature to conduct various crypto scams, impersonate reputable brands, and distribute Android malware. This operation uses a unique string in API responses and employs Telegram bots with embedded Mini Apps to create convincing app-like experiences. The scams include fraudulent cryptocurrency platforms and financial services, with impersonation of brands like Apple, Coca-Cola, Disney, eBay, IBM, Moon Pay, NVIDIA, and YouKu. The operation utilizes a shared backend infrastructure, allowing multiple phishing domains to use the same API response. Users interacting with the bots are shown phishing pages within Telegram’s WebView, often featuring fake balances and urgency tactics to prompt deposits or referrals. Additionally, some Mini Apps attempt to distribute malware disguised as legitimate Android APKs. Users are advised to be cautious when engaging with Telegram bots related to cryptocurrency investments and to avoid sideloading APK files.

Tech Optimizer

April 27, 2026

Why developers are betting on Postgres for AI

Organizations are intensifying the development of AI applications and agents, which rely on access to existing enterprise data to avoid inaccuracies in responses, a phenomenon known as "hallucination." Jensen Huang, CEO of Nvidia, and Phillip Merrick, co-founder of pgEdge, emphasize that structured data is essential for AI effectiveness. PostgreSQL is highlighted as a preferred database for AI applications, with 66% of respondents in the Stack Overflow 2025 Developer Survey indicating they wish to continue using it. Merrick notes PostgreSQL's advantages, including its open-source model, scalability, and ability to handle both structured and unstructured data. The pgEdge toolkit supports the entire lifecycle of AI application development, including document ingestion and vector embedding generation. PostgreSQL offers deployment flexibility and robust security features, making it suitable for critical sectors like finance and healthcare.

AppWizard

April 3, 2026

Which messaging app takes the most limited approach to permissions on Android?

Messaging applications Messenger, Signal, and Telegram exhibit significant differences in permissions and operational behaviors that impact user privacy. Telegram has the fewest total permissions at 71, with 25 classified as dangerous; Signal requests 72 permissions, including 19 dangerous ones; and Messenger requests the most at 87, with 24 dangerous permissions. Messenger also has the highest number of vendor-specific unknown permissions. Access to sensitive resources is crucial for messaging functionalities, with permissions for contacts, camera, microphone, location, storage, and calendar being essential. Telegram and Messenger request additional system-level permissions, while Signal is more conservative and does not request certain permissions like phone-call control or overlay windows. The analysis, using the Mobile Security Framework (MobSF), indicates all three apps are in the medium risk category, with Messenger having more flagged issues. Telegram allows cleartext connections by default, potentially exposing traffic, while Signal uses encrypted connections by default and only permits limited cleartext traffic for certificate checks. Messenger's issues include world-writable files and remote debugging enabled in WebViews. Messenger uses third-party SDKs, while Signal and Telegram do not disclose third-party trackers. All three utilize Firebase Cloud Messaging for notifications without sensitive data leakage. Data exchange patterns show Messenger primarily routes traffic through North America, while Telegram and Signal focus on Europe with some additional connections in the U.S. and Asia.

Tech Optimizer

March 24, 2026

Gold Lapel launches PostgreSQL proxy to tune queries

Gold Lapel has introduced a PostgreSQL proxy that enhances database query performance by acting as an intermediary between applications and PostgreSQL databases. The proxy monitors live queries, identifies issues, and implements optimizations such as creating materialised views, introducing various index types, and rewriting queries. It supports over ten optimization strategies, seven programming languages, four frameworks, and three ORMs, and is available for Linux, macOS, Windows, and Docker. The software includes features like prepared statement caching, in-memory result caching, connection pooling, automatic read replica routing, and security measures including TLS. An observability layer provides a live web dashboard and audit timeline. The pricing model is USD 9 per month per instance, with a site license available for unlimited instances. Gold Lapel has also released a 19-chapter technical book on PostgreSQL performance optimization. The company was founded by Stephen Gibson and is based in San Francisco.

Tech Optimizer

March 11, 2026

Netflix Automates RDS PostgreSQL to Aurora PostgreSQL Migration Across 400 Production Clusters

Netflix has developed an internal automation platform to migrate Amazon RDS for PostgreSQL databases to Amazon Aurora PostgreSQL, reducing operational risks and downtime for nearly 400 production clusters. The platform allows service teams to perform migrations through a self-service workflow while ensuring processes like replication validation and rollback safeguards are maintained. Database access is managed through a platform-managed layer using Envoy, which standardizes mutual TLS and abstracts database endpoints, enhancing security and efficiency. The migration process starts with creating an Aurora PostgreSQL cluster as a read replica of the source RDS instance, initialized from a storage snapshot and continuously replaying write-ahead log (WAL) records. Validation checks are performed to ensure the replica can handle peak write throughput before cutover. For change data capture workloads, the system coordinates the state of replication slots and pauses CDC consumers to prevent excessive WAL retention. The Enablement Applications team at Netflix successfully migrated databases for device certification and partner billing workflows, addressing issues like elevated replication lag due to inactive logical replication slots. As replication lag decreases, the system enters a controlled quiescence phase, adjusts security rules, and reboots the source RDS instance. Once all transactions are processed and the Aurora replica is ready, it is promoted to a writable cluster, and traffic is rerouted. Rollback capabilities are prioritized, allowing redirection back to the original RDS instance if validation checks fail or anomalies are detected post-promotion. This setup enables seamless restoration without redeployment, and CDC consumers can resume from recorded slot positions if needed.

AppWizard

March 11, 2026

New BeatBanker Android malware poses as Starlink app to hijack devices

A newly identified Android malware called BeatBanker disguises itself as a Starlink application on fake Google Play Store websites. It functions as a banking trojan and includes Monero mining capabilities, allowing it to steal credentials and manipulate cryptocurrency transactions. Researchers at Kaspersky traced BeatBanker to campaigns targeting users in Brazil. The latest version uses the BTMOB RAT for remote access, enabling keylogging, screen recording, camera access, GPS tracking, and credential capture. BeatBanker is distributed as an APK file that decrypts and loads hidden code into memory, conducting environment checks before activation. It presents a fake Play Store update screen to trick users into granting permissions for additional payloads. To avoid detection, it delays malicious operations and plays a nearly inaudible MP3 file to maintain persistent activity. The malware uses a modified version of the XMRig miner to mine Monero on Android devices, connecting to mining pools through encrypted TLS connections. It can start or stop mining based on device conditions and uses Firebase Cloud Messaging to relay device information to its command-and-control server. Currently, BeatBanker infections have only been observed in Brazil, but there are concerns about its potential spread. Users are advised to avoid side-loading APKs from untrusted sources and to review app permissions regularly.