CyberSecurity news

FlagThis - #android

Bill Toulas@BleepingComputer //
A new malware-as-a-service (MaaS) platform, called 'SuperCard X', has surfaced, targeting Android devices. This malware leverages Near-Field Communication (NFC) relay attacks to facilitate unauthorized point-of-sale (POS) and Automated Teller Machine (ATM) transactions. It operates by using compromised payment card data obtained through social engineering tactics. Victims are often lured into downloading a malicious application via SMS or phone calls, which then captures payment card data when the card is in proximity to the infected device.

This sophisticated Android-based malware is part of a fraud campaign that combines social engineering, malware distribution, and NFC data interception. The data captured is relayed in real-time through a Command and Control (C2) infrastructure to an attacker-controlled device, enabling immediate fraudulent cash withdrawals and purchases. The malware’s architecture includes two applications: “Reader” for capturing NFC card data and “Tapper” for receiving this data and performing the fraud. Communication between these apps uses HTTP over a C2 infrastructure, which employs mutual TLS (mTLS) to secure and authenticate connections.

SuperCard X exhibits a low detection rate among antivirus solutions due to its narrow focus on NFC data capture and minimal permission requirements. Cleafy Threat Intelligence researchers identified code similarities between SuperCard X and the open-source NFCGate tool, as well as another Android malware called NGate. This type of attack represents a significant escalation in fraud capabilities, extending beyond the usual targets of banking institutions to directly impact payment providers and card issuers.

Recommended read:
References :
  • gbhackers.com: New Android SuperCard X Malware Uses NFC-Relay Technique for POS & ATM Transactions
  • BleepingComputer: A new malware-as-a-service (MaaS) platform named 'SuperCard X' has emerged, targeting Android devices via NFC relay attacks that enable point-of-sale and ATM transactions using compromised payment card data.
  • The DefendOps Diaries: Explore SuperCard X, a sophisticated mobile malware using NFC relay attacks and minimal permissions to evade detection.
  • Cyber Security News: New Android SuperCard X Malware Employs NFC-Relay Technique for Fraudulent POS & ATM Withdrawals
  • gbhackers.com: New Android SuperCard X Malware Uses NFC-Relay Technique for POS & ATM Transactions
  • BleepingComputer: New Android malware steals your credit cards for NFC relay attacks
  • cybersecuritynews.com: CyberscurityNews reports New Android SuperCard X Malware Employs NFC-Relay Technique for Fraudulent POS & ATM Withdrawals
  • www.cleafy.com: Cleafy Labs reports SuperCard X: exposing a Chinese-speaker MaaS for NFC Relay fraud operation
  • Secure Bulletin: SuperCard X: exposing a MaaS for NFC Relay fraud operation
  • securebulletin.com: SuperCard X: exposing a MaaS for NFC Relay fraud operation
  • www.bleepingcomputer.com: New Android malware steals your credit cards for NFC relay attacks
  • BleepingComputer: A new malware-as-a-service (MaaS) platform named 'SuperCard X' has emerged, targeting Android devices via NFC relay attacks that enable point-of-sale and ATM transactions using compromised payment card data.
  • bsky.app: Talkback Threat Summary for Android SuperCard X Malware Uses NFC-Relay Technique for POS & ATM Transactions
  • securityaffairs.com: New sophisticate malware SuperCard X targets Androids via NFC relay attacks
  • The Hacker News: SuperCard X Android Malware Enables Contactless ATM and PoS Fraud via NFC Relay Attacks
  • www.scworld.com: Novel SuperCard X MaaS platform leveraged for payment card compromise
  • ciso2ciso.com: New sophisticate malware SuperCard X targets Androids via NFC relay attacks – Source: securityaffairs.com

@NCSC News Feed //
A coalition of governments, including the UK, US, Australia, Canada, Germany, and New Zealand, has issued an alert regarding the use of BADBAZAAR and MOONSHINE spyware. These sophisticated tools are being used to target civil society groups and ethnic minorities, specifically Uyghur, Taiwanese, and Tibetan communities. The spyware is embedded within seemingly legitimate Android applications, effectively acting as Trojan malware to gain unauthorized access to sensitive data. These malicious apps are designed to appear harmless, often mimicking popular apps or catering to specific interests of the targeted groups.

These spyware families are capable of accessing a wide range of information on infected devices, including location data, microphone and camera feeds, messages, photos, and other stored files. The UK's National Cyber Security Centre (NCSC) has stated that the targeted individuals are those connected to topics considered a threat to the Chinese state, such as Taiwanese independence, Tibetan rights, Uyghur Muslims, democracy advocacy, and the Falun Gong spiritual movement. The indiscriminate nature of the spyware's spread raises concerns that infections may extend beyond the intended targets, potentially affecting a broader range of users.

The advisory includes a list of over 100 malicious Android apps that have been identified as carrying the BADBAZAAR and MOONSHINE spyware. These apps often masquerade as Muslim and Buddhist prayer apps, chat applications like Signal, Telegram, and WhatsApp, or utility apps like Adobe Acrobat PDF reader. To mitigate the risk, individuals are urged to download apps only from official app stores, keep their devices and apps up to date, avoid rooting or jailbreaking their devices, and carefully review app permissions before installation. The NCSC and its partners continue to monitor the activities of these malicious cyber actors and provide guidance to help individuals protect themselves from these evolving threats.

Recommended read:
References :
  • thecyberexpress.com: Global Cybersecurity Agencies Warn of Spyware Targeting Uyghur, Tibetan, and Taiwanese Communities
  • ComputerWeekly.com: NCSC issues warning over Chinese Moonshine and BadBazaar spyware
  • NCSC News Feed: BADBAZAAR and MOONSHINE: Spyware targeting Uyghur, Taiwanese and Tibetan groups and civil society actors
  • Danny Palmer: The NCSC has put out a warning on how malicious cyber actors are using two forms of spyware - dubbed MOONSHINE and BADBAZAAR - hiding in otherwise legit mobile apps to target individuals in Uyghur, Tibetan and Taiwanese communities as well as civil society groups.
  • Zack Whittaker: A coalition of global governments have identified dozens of Android apps that are bundled with the prolific BadBazaar and Moonshine spyware strains, which they say are targeting civil society who oppose China's state interests.
  • techcrunch.com: Governments identify dozens of Android apps bundled with spyware
  • Threats | CyberScoop: BadBazaar and Moonshine malware targets Taiwanese, Tibetan and Uyghur groups, U.K. warns
  • techcrunch.com: Governments warn of BadBazaar and Moonshine spyware, MSFT issued fixes for at least 121 flaws, Scattered Spider persists after arrests, UK probes suicide forum, Hackers abuse SourceForge to distribute malware, Dutch gov't to screen researchers and students for espionage risks, much more
  • NCSC News Feed: The NCSC has put out a warning on how malicious cyber actors are using two forms of spyware - dubbed MOONSHINE and BADBAZAAR - hiding in otherwise legit mobile apps to target individuals in Uyghur, Tibetan and Taiwanese communities as well as civil society groups.
  • securityonline.info: Spyware Alert: BADBAZAAR and MOONSHINE Target Civil Society and Ethnic Groups
  • cyberscoop.com: BadBazaar and Moonshine malware targets Taiwanese, Tibetan and Uyghur groups, U.K. warns
  • Tenable Blog: Tenable Blog on Mobile Spyware Attacks
  • cyberinsider.com: CyberInsider article on Western intelligence agencies exposing Chinese spyware

Bill Mann@CyberInsider //
Google has released its April 2025 Android security update, addressing a total of 62 vulnerabilities. This includes fixes for two actively exploited zero-day vulnerabilities. The security bulletin addresses vulnerabilities across system components, the Linux kernel, and third-party hardware drivers, highlighting the importance of applying updates promptly. The two high-severity zero-days were reportedly used in targeted surveillance operations.

The exploited vulnerabilities are identified as CVE-2024-53150 and CVE-2024-53197. CVE-2024-53150 is an Android Kernel information disclosure vulnerability caused by an out-of-bound read weakness, potentially allowing local attackers to access sensitive information. CVE-2024-53197 is a high-severity privilege escalation flaw in the Linux kernel’s USB-audio driver for ALSA devices.

The privilege escalation flaw, CVE-2024-53197, was reportedly exploited by Serbian authorities to unlock confiscated Android devices. This was part of a zero-day exploit chain developed by Cellebrite, an Israeli digital forensics company. The exploit chain also included CVE-2024-53104, patched in February 2025, and CVE-2024-50302, patched last month. With this latest update, all three vulnerabilities in that chain are now fixed. Users are advised to apply the updates as soon as they are released by Android original equipment manufacturers (OEMs).

Recommended read:
References :
  • CyberInsider: Google Patches Actively Exploited Android Zero-Day Vulnerabilities
  • discuss.privacyguides.net: Google just fixed two critical Android zero-days and 60 other flaws
  • The Hacker News: Google Releases Android Update to Patch Two Actively Exploited Vulnerabilities
  • BleepingComputer: Google fixes Android zero-days exploited in attacks, 60 other flaws
  • securityaffairs.com: Google addressed 62 vulnerabilities with the release of Android ‘s April 2025 security update, including two actively exploited zero-days.
  • cyberinsider.com: Google’s April 2025 Android Security Bulletin addresses 60 vulnerabilities across system components, the Linux kernel, and third-party hardware drivers, including two high-severity zero-days that have been actively exploited in targeted surveillance operations.
  • Threats | CyberScoop: Google addresses 2 actively exploited vulnerabilities in security update
  • techcrunch.com: Google fixes two Android zero-day bugs actively exploited by hackers
  • Malwarebytes: Google fixes two actively exploited zero-day vulnerabilities in Android
  • cyberscoop.com: Google addresses 2 actively exploited vulnerabilities in security update
  • techcrunch.com: Google fixes two Android zero-day bugs actively exploited by hackers
  • MSSP feed for Latest: Google Patches Two Zero-Days in April 2025 Android Security Update
  • infosec.exchange: NEW: Google has pushed out patches for two zero-days that were being (and may still be) exploited in the wild. Amnesty previously found that one of them was being used against a student activist in Serbia, by Serbian authorities armed with Cellebrite.
  • Cyber Security News: Google addressed 62 vulnerabilities with the release of Android ‘s April 2025 security update, including two actively exploited zero-days.

@The DefendOps Diaries //
A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, raising significant cybersecurity concerns. This sophisticated malware, initially identified in 2016, has evolved to embed itself deeply into the Android system framework, making it difficult for users to detect or remove. Discovered on counterfeit versions of popular smartphone models sold at discounted prices through online stores, Triada poses a severe threat as it can steal user data immediately after device setup.

Triada's capabilities include stealing user data, such as social media and messenger accounts, and manipulating cryptocurrency transactions by replacing wallet addresses. The malware can also falsify caller IDs, monitor browser activity, and even activate premium SMS services. Experts warn that this new version infiltrates the device at the firmware level, indicating a compromised supply chain and urging users to exercise caution and purchase Android devices from reputable sources.

Recommended read:
References :
  • bsky.app: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • BleepingComputer: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • The DefendOps Diaries: Explore the threat of Triada malware in counterfeit Android devices and learn how to protect against this sophisticated cyber threat.
  • BleepingComputer: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • www.it-daily.net: Triada Trojan discovered on counterfeit Android smartphones
  • PCMag UK security: Counterfeit Android Phones Preloaded With a Special Surprise: Malware
  • Sam Bent: Triada Malware Preloaded on Counterfeit Androids Hijacks 2,600+ Devices for Crypto Theft and Espionage
  • www.scworld.com: Updated Triada trojan compromises thousands of Android devices
  • securityaffairs.com: New Triada Trojan comes preinstalled on Android devices
  • The Hacker News: Triada Malware Preloaded on Counterfeit Android Phones Infects 2,600+ Devices
  • Cyber Security News: Trinda Malware Infects Android Devices to Manipulate Phone Numbers During Calls
  • Cyber Security News: New Triada Malware Attacking Android Devices to Replaces Phone Numbers During Calls
  • www.techradar.com: Dodgy Android smartphones are being preloaded with Triada malware

do son@securityonline.info //
A new "ClickFake Interview" campaign, attributed to the Lazarus Group, is targeting professionals in the cryptocurrency sector with fraudulent job offers. Security researchers at Sekoia discovered the operation, revealing that threat actors impersonate recruiters on platforms like LinkedIn and X (formerly Twitter) to lure victims into fake job interviews. These interviews are designed to trick candidates into opening malicious documents or clicking on compromised links, ultimately leading to malware infection and potential data theft.

The malware, dubbed "ClickFix" or sometimes distributed through the GolangGhost backdoor, grants attackers remote access to compromised systems. This allows the Lazarus Group to steal sensitive information, including cryptocurrency wallet credentials, execute arbitrary commands, and maintain persistent access. Sekoia warns that this campaign reflects a new Lazarus strategy targeting cryptocurrency industry employees, even those with limited technical expertise, making them less likely to detect malicious activity during the interview process. Professionals are advised to verify recruiter identities, avoid downloading files from unknown sources, and utilize endpoint protection to mitigate risks.

Recommended read:
References :
  • : New “ClickFake Interview” campaign attributed to the Lazarus Group targets crypto professionals with fake job offers
  • www.scworld.com: ClickFix technique leveraged in new crypto-targeted Lazarus attacks
  • Virus Bulletin: Sekoya researchers discovered a ClickFake Interview campaign targeting job seekers with fake job interview websites. The infrastructure aligns with technical indicators linked to the Contagious Interview campaign and delivers GolangGhost backdoor for Windows & macOS
  • Security Risk Advisors: Lazarus Uses “ClickFake Interviewâ€� to Distribute Backdoors via Fake Crypto Job Websites
  • The Hacker News: Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware

rohansinhacyblecom@cyble.com //
A new Android banking trojan called Crocodilus has been discovered, targeting users in Spain and Turkey. Cybersecurity experts warn that this sophisticated malware employs advanced techniques like remote control, black screen overlays, and data harvesting through accessibility logging. Crocodilus is designed to facilitate device takeover and conduct fraudulent transactions, masquerading as Google Chrome to bypass Android 13+ restrictions.

Once installed, Crocodilus requests access to Android's accessibility services and connects to a remote server for instructions and a list of targeted financial applications. The malware steals banking and crypto credentials by displaying HTML overlays and monitors all accessibility events to capture screen contents, including Google Authenticator details. Crocodilus conceals malicious activities using a black screen overlay and muting sounds to avoid detection.

Recommended read:
References :
  • cyble.com: TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications
  • thehackernews.com: New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials
  • gbhackers.com: “Crocodilusâ€� A New Malware Targeting Android Devices for Full Takeover
  • securityaffairs.com: The new Android trojan Crocodilus exploits accessibility features to steal banking and crypto credentials, mainly targeting users in Spain and Turkey.
  • ciso2ciso.com: Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that’s primarily designed to target users in Spain and Turkey.
  • BleepingComputer: A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.
  • The DefendOps Diaries: Discover how Crocodilus malware exploits Android devices, threatening cryptocurrency security with advanced RAT capabilities and social engineering.
  • cointelegraph.com: Android malware ‘Crocodilus’ can take over phones to steal crypto
  • Talkback Resources: TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications
  • www.scworld.com: Advanced Crocodilus Android trojan emerges Widely known cryptocurrency wallets, as well as banks in Spain and Turkey, have already been targeted in attacks involving the novel sophisticated Crocodilus Android trojan, which combines bot and remote access trojan capabilities to facilitate banking and cryptocurrency credential compromise, according to Security Affairs.
  • Metacurity: The new Android trojan Crocodilus exploits accessibility features to steal banking and crypto credentials, mainly targeting users in Spain and Turkey.
  • Blog: New Crocodilus malware snaps up crypto wallets
  • thecyberexpress.com: Cyble researchers have discovered a new Android banking trojan that uses overlay attacks and other techniques to target more than 750 applications, including banking, finance, cryptocurrency, payment, social media, and e-commerce applications.
  • securityonline.info: Android Under Attack: Crocodilus Trojan Captures OTPs from Google Authenticator
  • www.cysecurity.news: New Android Banking Trojan 'Crocodilus' Emerges as Sophisticated Threat in Spain and Turkey

rohansinhacyblecom@cyble.com //
A new Android malware named Crocodilus has been discovered targeting cryptocurrency users, primarily in Spain and Turkey. Cybersecurity researchers have found that Crocodilus employs sophisticated techniques, including remote control capabilities, black screen overlays, and advanced data harvesting through accessibility logging. The malware is designed to steal banking and cryptocurrency credentials, posing a significant threat to Android users in these regions.

Crocodilus tricks users into divulging their cryptocurrency wallet seed phrases by displaying a fake warning urging them to back up their keys to avoid losing access. It also exploits accessibility features to monitor app launches, display overlays to intercept credentials, and capture screen contents, including Google Authenticator OTP codes. This allows attackers to gain full control of wallets and drain assets. The malware also features call and SMS control, device admin and persistence, social engineering, and remote commands and settings update capabilities.

ThreatFabric researchers note that Crocodilus exhibits a high level of maturity for a newly discovered threat, demonstrating advanced device takeover capabilities. The malware is distributed via a proprietary dropper that bypasses Android 13 security protections and installs the malware without triggering Play Protect. Analysis of the source code suggests that the malware author is Turkish-speaking.

Recommended read:
References :
  • BleepingComputer: A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.
  • securityaffairs.com: Experts warn of the new sophisticate Crocodilus mobile banking Trojan
  • thehackernews.com: Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that's primarily designed to target users in Spain and Turkey.
  • BleepingComputer: A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.
  • www.scworld.com: Advanced Crocodilus Android trojan emerges Widely known cryptocurrency wallets, as well as banks in Spain and Turkey, have already been targeted in attacks involving the novel sophisticated Crocodilus Android trojan, which combines bot and remote access trojan capabilities to facilitate banking and cryptocurrency credential compromise, according to Security Affairs.
  • Blog: New Crocodilus malware snaps up crypto wallets
  • The420.in: Crypto Under Attack: Crocodilus Malware Targets Android Users
  • securityonline.info: Android Under Attack: Crocodilus Trojan Captures OTPs from Google Authenticator
  • www.cysecurity.news: New Android Banking Trojan 'Crocodilus' Emerges as Sophisticated Threat in Spain and Turkey

info@thehackernews.com (The@The Hacker News //
A new Android malware campaign, potentially linked to previous attacks targeting Indian military personnel, has been identified focusing on users in Taiwan. The malware, known as PJobRAT, is an Android Remote Access Trojan (RAT) that steals sensitive data. It operates by disguising itself as legitimate chat applications, tricking users into installation. Once installed, PJobRAT can extract SMS messages, phone contacts, device information, documents, and media files from infected devices, enabling deep surveillance and remote control.

Researchers at Sophos X-Ops uncovered this recent campaign, observing activity from January 2023 to October 2024. The malicious chat apps, named SangaalLite and CChat, were distributed through compromised WordPress sites. While this particular campaign may be paused, it illustrates that threat actors often retool and retarget after an initial campaign, improving their malware and adjusting their approach before striking again. Users are advised to avoid installing apps from untrusted sources and employ mobile security solutions for protection.

Recommended read:
References :
  • ciso2ciso.com: PJobRAT Malware Campaign Targeted Taiwanese Users via Fake Chat Apps – Source:thehackernews.com
  • The Hacker News: An Android malware family previously observed targeting Indian military personnel has been linked to a new campaign likely aimed at users in Taiwan under the guise of chat apps.
  • www.infosecurity-magazine.com: PJobRAT malware targets Taiwan Android users, stealing data through fake messaging platforms
  • Sophos X-Ops: Back in 2021, researchers reported on PJobRAT, an Android RAT targeting Indian military personnel by imitating various dating and instant messaging apps. After that, everything seemed to go quiet. But during a recent threat hunt, Sophos X-Ops researchers uncovered a more recent PJobRAT campaign appearing to target users in Taiwan – the earliest sample being Jan 2023, and the most recent in October 2024.
  • Cyber Security News: Sophos X-Ops researchers have uncovered a new campaign involving PJobRAT, an Android Remote Access Trojan (RAT) first observed in 2019. This latest iteration, which appeared to target users in Taiwan, disguised itself as instant messaging apps such as ‘SangaalLite’ and ‘CChat’.
  • gbhackers.com: PJobRAT, an Android Remote Access Trojan (RAT) first identified in 2019, has resurfaced in a new campaign targeting users in Taiwan.
  • Sophos News: PJobRAT makes a comeback, takes another crack at chat apps
  • Sophos X-Ops: We can’t confirm how users were directed to these sites, but PJobRAT previously used a variety of tricks, including third-party app stores, link shortening, phishing pages, fictitious personae, and posting links on forums. Once on a user’s device, the malware requests various permissions, and can steal SMS messages, phone contacts, device and app info, documents, and media files. The latest variant does not have a built-in function for stealing WhatsApp messages. But it does have a new functionality – running shell commands. This greatly increases the malware’s capabilities.

@www.silentpush.com //
A sophisticated phishing campaign, suspected to be backed by Russian Intelligence Services, has been uncovered targeting individuals sympathetic to Ukraine, including Russian citizens and informants. The operation involves creating fake websites impersonating organizations such as the CIA, the Russian Volunteer Corps (RVC), Legion Liberty, and "Hochuzhit" ("I Want to Live"), an appeals hotline for Russian service members operated by Ukrainian intelligence. These deceptive sites aim to collect personal information from unsuspecting visitors, exploiting anti-war sentiment within Russia, where such activities are illegal and punishable by law.

Researchers at Silent Push discovered four distinct phishing clusters using tactics such as static HTML, JavaScript, and Google Forms to steal data. The threat actors are utilizing a bulletproof hosting provider, Nybula LLC, to host the fake websites, which are designed to mimic legitimate organizations. The goal is to gather intelligence and potentially identify dissidents within Russia. The campaign highlights the ongoing digital dimension of the Russia-Ukraine conflict and underscores the need for increased vigilance and improved digital hygiene among potential targets.

Recommended read:
References :
  • gbhackers.com: reports on the Russian attempts to steal Ukraine Defense Intelligence data
  • hackread.com: Russian Phishing Uses Fake CIA Sites to Target Anti-war, Ukraine Supporters
  • www.silentpush.com: Russian Intelligence Service-backed Campaigns Impersonate the CIA to Target Ukraine Sympathizers, Russian Citizens and Informants
  • Cyber Security News: In a sophisticated cyber espionage campaign recently uncovered, Russian hackers have been impersonating the U.S. Central Intelligence Agency (CIA) and other organizations to harvest sensitive information from Ukrainian sympathizers and potential Russian defectors.
  • securityonline.info: Silent Push Threat Analysts uncover a multi-cluster phishing operation leveraging fake CIA and anti-Putin group websites to harvest
  • Vulnerable U: Russian Hackers Target Ukraine With Stealthy Malware Attack

Deeba Ahmed@hackread.com //
A new wave of Android malware campaigns are exploiting Microsoft’s .NET MAUI framework to target users, particularly in India and China. Cybersecurity researchers at McAfee Labs have identified these malicious applications, which disguise themselves as legitimate services like banking and social media apps, to steal sensitive user information. These fake apps, collectively codenamed FakeApp, are not distributed through official channels like Google Play, but rather through bogus links sent via messaging apps and unofficial app stores. .NET MAUI, designed as a cross-platform development framework, allows these threats to conceal malicious code, making them difficult to detect by traditional antivirus solutions.

Researchers have found that the malware's core functionalities are written entirely in C# and stored as binary large objects, evading detection methods that typically analyze DEX files or native libraries. For instance, a fraudulent banking app impersonates IndusInd Bank, targeting Indian users by prompting them to enter personal and financial details, which are then sent to the attacker's command-and-control server. Another instance involves a fake social networking service app aimed at Chinese-speaking users, employing multi-stage dynamic loading to decrypt and execute its payload in separate stages, further complicating analysis and disrupting security tools.

Recommended read:
References :
  • hackread.com: Hackers Are Using Microsoft’s .NET MAUI to Spread Android Malware
  • securityaffairs.com: Android malware campaigns use .NET MAUI to evade detection
  • The DefendOps Diaries: Understanding the Threat: How .NET MAUI is Changing Android Malware
  • thehackernews.com: Hackers Use .NET MAUI to Target Indian and Chinese Users with Fake Banking, Social Apps
  • www.infosecurity-magazine.com: New Android Malware Uses .NET MAUI to Evade Detection
  • securityonline.info: New Android Malware Campaign Uses .NET MAUI to Evade Detection
  • Security Risk Advisors: 🚩New Android Malware Campaign Exploits .NET MAUI Framework to Steal Sensitive Data
  • MSSP feed for Latest: Threat actors exploited Microsoft's .NET MAUI cross-platform development framework to craft fake apps in new Android malware campaigns.
  • Virus Bulletin: McAfee's Mobile Research Team discovered an Android malware campaign abusing .NET MAUI, a cross-platform development framework, to evade detection and remain active on devices for a long time.
  • BleepingComputer: New Android malware campaigns use Microsoft's cross-platform framework .NET MAUI while disguising as legitimate services to evade detection.
  • Security | TechRepublic: Android Malware Exploits a Microsoft-Related Security Blind Spot to Avoid Detection

Zimperium@www.zimperium.com //
Zimperium, a mobile security firm, has issued a warning about the persistent and evolving threat that rooted and jailbroken mobile devices pose to enterprises. Their recent report highlights that these compromised devices, which bypass security protocols, make organizations increasingly vulnerable to mobile malware, data breaches, and full system compromises. According to Zimperium's research, rooted Android devices are significantly more susceptible to security incidents, with a 3.5 times greater likelihood of malware attacks and a staggering 250 times higher risk of system compromise.

Rooting and jailbreaking, initially used for device customization, grant users full control but remove crucial security protections. This allows the installation of apps from unverified sources, disabling security features, and modifying system files, making them prime targets for cybercriminals. Hackers are continuously developing sophisticated toolkits, such as Magisk and APatch, to hide their presence and evade detection. These tools employ techniques like "systemless" rooting and on-the-fly kernel memory modification, making it increasingly difficult for cybersecurity researchers to identify compromised devices before they inflict damage, emphasizing the need for constant monitoring and updated security measures.

Recommended read:
References :
  • hackread.com: A new Zimperium report reveals that rooted Android phones and jailbroken iOS devices face growing threats, with advanced toolkits making detection nearly impossible for cybersecurity researchers.
  • www.scworld.com: Rooted, jailbroken mobile devices pose security risk to organizations
  • : Zimperium warns that mobile rooting and jailbreaking remain a persistent and evolving threat to enterprises worldwide. The post appeared first on .
  • ai-techpark.com: AI-TechPark : Zimperium Warns of Ongoing Threats from Rooting, Jailbreaking

info@thehackernews.com (The@The Hacker News //
North Korea-linked APT group ScarCruft has been identified deploying a new Android spyware dubbed KoSpy, targeting Korean and English-speaking users. The spyware was distributed through fake utility apps on the Google Play Store and third-party app stores like APKPure. At least five malicious applications, masquerading as File Manager, Phone Manager, Smart Manager, Software Update Utility, and Kakao Security, were used to trick users into installing the spyware onto their devices.

The malicious apps offer the promised functionality to avoid raising suspicion while stealthily deploying spyware-related components in the background. The spyware is designed to collect a wide range of data from compromised devices, including SMS messages, call logs, device location, files in local storage, screenshots, keystrokes, Wi-Fi network information, and the list of installed applications. It's also equipped to record audio and take photos. The apps have since been removed from the app marketplace.

Recommended read:
References :
  • infosec.exchange: NEW: North Korean government hackers snuck spyware onto the official Android app store, and tricked a few people to download it, according to Lookout.
  • techcrunch.com: North Korean government hackers snuck spyware on Android app store
  • The DefendOps Diaries: KoSpy: Unmasking the North Korean Spyware Threat
  • PCMag UK security: Suspected North Korean Hackers Infiltrate Google Play With 'KoSpy' Spyware
  • BleepingComputer: New North Korean Android spyware slips onto Google Play
  • bsky.app: A new Android spyware named 'KoSpy' is linked to North Korean threat actors who have infiltrated Google Play and third-party app store APKPure through at least five malicious apps. https://www.bleepingcomputer.com/news/security/new-north-korean-android-spyware-slips-onto-google-play/
  • The Record: A North Korean nation-state group tracked as APT37 or ScarCruft placed infected utilities in Android app stores as part of an espionage campaign, according to researchers
  • www.scworld.com: Android spyware ‘KoSpy’ spread by suspected North Korean APT
  • securityaffairs.com: North Korea-linked APT group ScarCruft spotted using new Android spyware KoSpy
  • bsky.app: A new Android spyware named 'KoSpy' is linked to North Korean threat actors who have infiltrated Google Play and third-party app store APKPure through at least five malicious apps.
  • The Hacker News: The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting Korean and English-speaking users.
  • securityonline.info: North Korea’s APT ScarCruft Places Spyware on Google Play
  • securityaffairs.com: North Korea-linked APT group ScarCruft used a new Android spyware dubbed KoSpy to target Korean and English-speaking users.
  • Secure Bulletin: New Android spyware “KoSpyâ€� linked to North Korean APT37
  • securityonline.info: North Korean ScarCruft APT Targets Users with Novel KoSpy Android Spyware
  • Carly Page: North Korean-linked hackers uploaded Android spyware to Google Play. The spyware, which collects an “extensive amountâ€� of sensitive data, was downloaded more than 10 times before Google removed it, according to Lookout

Mandvi@Cyber Security News //
A critical zero-day vulnerability, dubbed EvilLoader, has been discovered in Telegram for Android by security researcher 0x6rss. This exploit allows attackers to disguise malicious APK files as video files, potentially leading to unauthorized malware installations on users' devices. The vulnerability exploits Telegram's file handling mechanism, tricking the app into treating HTML files with .mp4 extensions as legitimate video files, even though the file is not a video file.

When a user attempts to play these crafted "videos," Telegram prompts them to open the file in an external application, potentially leading to the installation of malicious software. For the attack to succeed, users must click the embedded link multiple times, disable Android’s security restriction on installing apps from unknown sources, and proceed with the installation. The file facilitating this attack has been available for sale on underground hacker forums.

Recommended read:
References :
  • Cyber Security News: A critical zero-day vulnerability in Telegram for Android, dubbed EvilLoader, has been discovered by security researcher 0x6rss. This exploit allows attackers to disguise malicious APKs as video files, potentially leading to unauthorized malware installations on users’ devices.
  • WeLiveSecurity: ESET researchers discuss how they uncovered a zero-day Telegram for Android exploit that allowed attackers to send malicious files posing as videos
  • securityonline.info: Telegram’s EvilLoader: Hackers Exploit Video Flaw Again

Pierluigi Paganini@Security Affairs //
Google has released the March 2025 Android Security Bulletin, which addresses 44 vulnerabilities. Notably, the update includes patches for two zero-day flaws, identified as CVE-2024-43093 and CVE-2024-50302, that are actively being exploited in the wild. The high-severity vulnerability CVE-2024-43093 is a privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories. CVE-2024-50302 is also a privilege escalation flaw in the HID USB component of the Linux kernel that could lead to a leak of uninitialized kernel memory to a local attacker through specially crafted HID reports.

This security update arrives after reports surfaced that Serbian authorities used one of these zero-day vulnerabilities to unlock confiscated devices. Google acknowledged that both CVE-2024-43093 and CVE-2024-50302 have come under "limited, targeted exploitation." The company has released two security patch levels to allow Android partners flexibility in addressing vulnerabilities across devices more quickly. The security patch levels are 2025-03-01 and 2025-03-05.

Recommended read:
References :
  • securityaffairs.com: Reports the release of Google's March 2025 Android security update, which addresses actively exploited zero-day vulnerabilities.
  • cyberinsider.com: Google Patches Two Actively Exploited Zero-Day Flaws in Android
  • The Hacker News: Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities.
  • bsky.app: Google has released patches for 43 vulnerabilities in Android's March 2025 security update, including two zero-days. Serbian authorities have used one of the zero-days to unlock confiscated devices.
  • Information Security Buzz: Google Issues Urgent Alert for Exploited Android Vulnerabilities

@techcrunch.com //
Italian spyware maker SIO is distributing malicious Android applications that masquerade as popular apps like WhatsApp. According to an exclusive report by TechCrunch, the spyware, dubbed "Spyrtacus," is designed to steal private data from a target's device. Researchers have linked this spyware campaign to SIO, a company that claims to partner with law enforcement agencies, government organizations, police, and intelligence agencies, including the Italian government.

The spyware campaign involves distributing malicious Android apps disguised as popular applications and cellphone provider tools. Security researchers at Lookout identified the spyware as "Spyrtacus" after finding the term in the code of an older malware sample. Spyrtacus possesses capabilities typical of government spyware, including the ability to steal text messages, chats from various messaging platforms, exfiltrate contacts, and record phone calls and ambient audio. At this time, the identities of the spyware targets and victims remain unknown.

Recommended read:
References :
  • infosec.exchange: NEW: We caught another government spyware vendor, which made fake Android apps masquerading as WhatsApp and cellphone providers' apps. The spyware, called Spyrtacus, was made by SIO. The company says on its official website that it partners "Law Enforcement Agencies, Government Organizations, Police and Intelligence Agencies," and sells to Italian government. At this point, we don't have information on who were the spyware targets and victims.
  • Zack Whittaker: Incredible reporting by , who caught an Android spyware campaign in the wild. The spyware, dubbed "Spyrtacus," masquerades as popular apps like WhatsApp, but steals victims' phone data. Researchers linked the spyware to Italian firm SIO.
  • Pietro395 :proton: ??: Italian spyware maker SIO, known to sell its products to government customers, is behind a series of malicious Android apps that masquerade as WhatsApp and other popular apps but steal private data from a target’s device, TechCrunch has exclusively learned.
  • techcrunch.com: Spyware maker caught distributing malicious Android apps for years
  • infosec.exchange: NEW: We caught another government spyware vendor, which made fake Android apps masquerading as WhatsApp and cellphone providers' apps.
  • techcrunch.com: Spyware maker caught distributing malicious Android apps for years
  • Techmeme: Sources: Italian spyware maker SIO created malicious Android apps that masquerade as WhatsApp and other apps; a researcher says they were likely used in Italy (Lorenzo Franceschi-Bicchierai/TechCrunch)
  • www.dday.it: Very nice find (in 🇮🇹) by tech site Digital Day. Spyware maker SIO attempted to sell Spyrtacus through an intermediary to an Italian prosecutor's office in Sicily, but was rejected because law says the owner of the product is the one that must apply to the tender.

@securityonline.info //
The BADBOX botnet has infected over 190,000 Android devices, including high-end products like Yandex 4K QLED TVs. This botnet's widespread infection is attributed to supply chain vulnerabilities, potentially involving pre-installed malware embedded during the manufacturing or distribution phases. This discovery highlights the significant security risks associated with compromises in the supply chain of Android devices.

A recent investigation revealed over 160,000 unique IP addresses communicating with BADBOX command-and-control servers daily. These infections are concentrated in countries like Russia, China, India, Brazil, Belarus, and Ukraine. The BADBOX malware is believed to originate from the Triada family of Android malware, known for its stealth. Once activated, infected devices are transformed into residential proxies, enabling cybercriminals to route internet traffic through them for illegal activities and ad fraud.

Recommended read:
References :
  • Cyber Security News: CyberPress article about the BADBOX botnet infection of Android devices, including LED TVs.
  • gbhackers.com: GBHackers article reporting on the BADBOX botnet.
  • securityonline.info: Security Online article on the BADBOX botnet infecting Android devices with pre-installed malware.
  • cyberpress.org: Cyberpress.org article on BADBOX botnet and the affected devices.
  • securityonline.info: SecurityOnline article about BADBOX botnet and pre-installed malware targeting Android devices.
  • gbhackers.com: The BADBOX botnet, a sophisticated malware operation targeting Android-based devices, has now infected over 192,000 systems globally.

info@thehackernews.com (The Hacker News)@The Hacker News //
Google has released the February 2025 Android security updates, patching a total of 48 vulnerabilities. Among these fixes is a critical zero-day kernel vulnerability, identified as CVE-2024-53104, which Google has confirmed is being actively exploited in the wild. This particular flaw is a privilege escalation issue found within the USB Video Class (UVC) driver, potentially allowing attackers to gain elevated permissions on affected devices.

The vulnerability, with a CVSS score of 7.8, stems from an out-of-bounds write condition within the "uvc_parse_format()" function of the "uvc_driver.c" program, specifically when parsing UVC_VS_UNDEFINED frames. This flaw, present since Linux kernel version 2.6.26 released in mid-2008, could lead to memory corruption, program crashes, or even arbitrary code execution. While the specific actors behind the exploitation remain unclear, the potential for "physical" privilege escalation raises concerns about misuse by forensic data extraction tools.

Recommended read:
References :
  • cyberinsider.com: Google Fixes Zero-Day Flaw Exploited in Targeted Android Attacks
  • BleepingComputer: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.
  • securityaffairs.com: Google fixed actively exploited kernel zero-day flaw
  • The Hacker News: Google Patches 47 Android Security Flaws, Including Actively Exploited CVE-2024-53104
  • CyberInsider: Google Fixes Zero-Day Flaw Exploited in Targeted Android Attacks
  • ciso2ciso.com: Google fixed actively exploited kernel zero-day flaw
  • BleepingComputer: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.
  • Pyrzout :vm:: Social post about google actively exploited kernel zero-day flaw.
  • www.bleepingcomputer.com: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.

CISO2CISO Editor 2@ciso2ciso.com //
Google is introducing a new security feature called Identity Check for Android devices to combat theft. This feature locks sensitive settings, such as device and account passwords, behind biometric authentication when outside a trusted location. This prevents thieves from making unauthorized changes even if they possess the device's passcode. The intent is to safeguard user data and improve overall device security.

Identity Check requires biometric verification for accessing sensitive areas like performing factory resets, changing screen locks, adding new fingerprints, and disabling ‘Find My Device’. It also protects access to developer options and Google Password Manager. Initially, the feature will roll out to Samsung Galaxy devices eligible for One UI 7, both as part of the new OS and potentially on older versions in the near future. Non-Samsung users will receive the security update later in the year.

Recommended read:
References :
  • ciso2ciso.com: Android enhances theft protection with Identity Check and expanded features – Source:security.googleblog.com
  • discuss.privacyguides.net: New Android Identity Check locks settings outside trusted locations
  • AAKL: Android's New Identity Check Feature Locks Device Settings Outside Trusted Locations Google announcement:
  • Pyrzout :vm:: Android enhances theft protection with Identity Check and expanded features – Source:security.googleblog.com
  • security.googleblog.com: Android's New Identity Check Feature Locks Device Settings Outside Trusted Locations Google announcement:
  • BleepingComputer: Google has announced a new Android "Identity Check" security feature that lock sensitive settings behind biometric authentication when outside a trusted location.
  • www.bleepingcomputer.com: New Android Identity Check locks settings outside trusted locations
  • ciso2ciso.com: Android improves theft protection with Identity Check and additional features.
  • The Hacker News: Discussion of Android's new Identity Check feature and improved device security.