info@thehackernews.com (The@The Hacker News
//
North Korea-linked APT group ScarCruft has been identified deploying a new Android spyware dubbed KoSpy, targeting Korean and English-speaking users. The spyware was distributed through fake utility apps on the Google Play Store and third-party app stores like APKPure. At least five malicious applications, masquerading as File Manager, Phone Manager, Smart Manager, Software Update Utility, and Kakao Security, were used to trick users into installing the spyware onto their devices.
The malicious apps offer the promised functionality to avoid raising suspicion while stealthily deploying spyware-related components in the background. The spyware is designed to collect a wide range of data from compromised devices, including SMS messages, call logs, device location, files in local storage, screenshots, keystrokes, Wi-Fi network information, and the list of installed applications. It's also equipped to record audio and take photos. The apps have since been removed from the app marketplace. Recommended read:
References :
Deeba Ahmed@hackread.com
//
A new wave of Android malware campaigns are exploiting Microsoft’s .NET MAUI framework to target users, particularly in India and China. Cybersecurity researchers at McAfee Labs have identified these malicious applications, which disguise themselves as legitimate services like banking and social media apps, to steal sensitive user information. These fake apps, collectively codenamed FakeApp, are not distributed through official channels like Google Play, but rather through bogus links sent via messaging apps and unofficial app stores. .NET MAUI, designed as a cross-platform development framework, allows these threats to conceal malicious code, making them difficult to detect by traditional antivirus solutions.
Researchers have found that the malware's core functionalities are written entirely in C# and stored as binary large objects, evading detection methods that typically analyze DEX files or native libraries. For instance, a fraudulent banking app impersonates IndusInd Bank, targeting Indian users by prompting them to enter personal and financial details, which are then sent to the attacker's command-and-control server. Another instance involves a fake social networking service app aimed at Chinese-speaking users, employing multi-stage dynamic loading to decrypt and execute its payload in separate stages, further complicating analysis and disrupting security tools. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Google has released the March 2025 Android Security Bulletin, which addresses 44 vulnerabilities. Notably, the update includes patches for two zero-day flaws, identified as CVE-2024-43093 and CVE-2024-50302, that are actively being exploited in the wild. The high-severity vulnerability CVE-2024-43093 is a privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories. CVE-2024-50302 is also a privilege escalation flaw in the HID USB component of the Linux kernel that could lead to a leak of uninitialized kernel memory to a local attacker through specially crafted HID reports.
This security update arrives after reports surfaced that Serbian authorities used one of these zero-day vulnerabilities to unlock confiscated devices. Google acknowledged that both CVE-2024-43093 and CVE-2024-50302 have come under "limited, targeted exploitation." The company has released two security patch levels to allow Android partners flexibility in addressing vulnerabilities across devices more quickly. The security patch levels are 2025-03-01 and 2025-03-05. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A new Android malware campaign, potentially linked to previous attacks targeting Indian military personnel, has been identified focusing on users in Taiwan. The malware, known as PJobRAT, is an Android Remote Access Trojan (RAT) that steals sensitive data. It operates by disguising itself as legitimate chat applications, tricking users into installation. Once installed, PJobRAT can extract SMS messages, phone contacts, device information, documents, and media files from infected devices, enabling deep surveillance and remote control.
Researchers at Sophos X-Ops uncovered this recent campaign, observing activity from January 2023 to October 2024. The malicious chat apps, named SangaalLite and CChat, were distributed through compromised WordPress sites. While this particular campaign may be paused, it illustrates that threat actors often retool and retarget after an initial campaign, improving their malware and adjusting their approach before striking again. Users are advised to avoid installing apps from untrusted sources and employ mobile security solutions for protection. Recommended read:
References :
@techcrunch.com
//
Italian spyware maker SIO is distributing malicious Android applications that masquerade as popular apps like WhatsApp. According to an exclusive report by TechCrunch, the spyware, dubbed "Spyrtacus," is designed to steal private data from a target's device. Researchers have linked this spyware campaign to SIO, a company that claims to partner with law enforcement agencies, government organizations, police, and intelligence agencies, including the Italian government.
The spyware campaign involves distributing malicious Android apps disguised as popular applications and cellphone provider tools. Security researchers at Lookout identified the spyware as "Spyrtacus" after finding the term in the code of an older malware sample. Spyrtacus possesses capabilities typical of government spyware, including the ability to steal text messages, chats from various messaging platforms, exfiltrate contacts, and record phone calls and ambient audio. At this time, the identities of the spyware targets and victims remain unknown. Recommended read:
References :
Zimperium@Zimperium
//
Zimperium, a mobile security firm, has issued a warning about the persistent and evolving threat that rooted and jailbroken mobile devices pose to enterprises. Their recent report highlights that these compromised devices, which bypass security protocols, make organizations increasingly vulnerable to mobile malware, data breaches, and full system compromises. According to Zimperium's research, rooted Android devices are significantly more susceptible to security incidents, with a 3.5 times greater likelihood of malware attacks and a staggering 250 times higher risk of system compromise.
Rooting and jailbreaking, initially used for device customization, grant users full control but remove crucial security protections. This allows the installation of apps from unverified sources, disabling security features, and modifying system files, making them prime targets for cybercriminals. Hackers are continuously developing sophisticated toolkits, such as Magisk and APatch, to hide their presence and evade detection. These tools employ techniques like "systemless" rooting and on-the-fly kernel memory modification, making it increasingly difficult for cybersecurity researchers to identify compromised devices before they inflict damage, emphasizing the need for constant monitoring and updated security measures. Recommended read:
References :
info@thehackernews.com (The Hacker News)@The Hacker News
//
Google has released the February 2025 Android security updates, patching a total of 48 vulnerabilities. Among these fixes is a critical zero-day kernel vulnerability, identified as CVE-2024-53104, which Google has confirmed is being actively exploited in the wild. This particular flaw is a privilege escalation issue found within the USB Video Class (UVC) driver, potentially allowing attackers to gain elevated permissions on affected devices.
The vulnerability, with a CVSS score of 7.8, stems from an out-of-bounds write condition within the "uvc_parse_format()" function of the "uvc_driver.c" program, specifically when parsing UVC_VS_UNDEFINED frames. This flaw, present since Linux kernel version 2.6.26 released in mid-2008, could lead to memory corruption, program crashes, or even arbitrary code execution. While the specific actors behind the exploitation remain unclear, the potential for "physical" privilege escalation raises concerns about misuse by forensic data extraction tools. Recommended read:
References :
@www.silentpush.com
//
References:
gbhackers.com
, hackread.com
,
A sophisticated phishing campaign, suspected to be backed by Russian Intelligence Services, has been uncovered targeting individuals sympathetic to Ukraine, including Russian citizens and informants. The operation involves creating fake websites impersonating organizations such as the CIA, the Russian Volunteer Corps (RVC), Legion Liberty, and "Hochuzhit" ("I Want to Live"), an appeals hotline for Russian service members operated by Ukrainian intelligence. These deceptive sites aim to collect personal information from unsuspecting visitors, exploiting anti-war sentiment within Russia, where such activities are illegal and punishable by law.
Researchers at Silent Push discovered four distinct phishing clusters using tactics such as static HTML, JavaScript, and Google Forms to steal data. The threat actors are utilizing a bulletproof hosting provider, Nybula LLC, to host the fake websites, which are designed to mimic legitimate organizations. The goal is to gather intelligence and potentially identify dissidents within Russia. The campaign highlights the ongoing digital dimension of the Russia-Ukraine conflict and underscores the need for increased vigilance and improved digital hygiene among potential targets. Recommended read:
References :
Mandvi@Cyber Security News
//
References:
Cyber Security News
, WeLiveSecurity
,
A critical zero-day vulnerability, dubbed EvilLoader, has been discovered in Telegram for Android by security researcher 0x6rss. This exploit allows attackers to disguise malicious APK files as video files, potentially leading to unauthorized malware installations on users' devices. The vulnerability exploits Telegram's file handling mechanism, tricking the app into treating HTML files with .mp4 extensions as legitimate video files, even though the file is not a video file.
When a user attempts to play these crafted "videos," Telegram prompts them to open the file in an external application, potentially leading to the installation of malicious software. For the attack to succeed, users must click the embedded link multiple times, disable Android’s security restriction on installing apps from unknown sources, and proceed with the installation. The file facilitating this attack has been available for sale on underground hacker forums. Recommended read:
References :
@securityonline.info
//
The BADBOX botnet has infected over 190,000 Android devices, including high-end products like Yandex 4K QLED TVs. This botnet's widespread infection is attributed to supply chain vulnerabilities, potentially involving pre-installed malware embedded during the manufacturing or distribution phases. This discovery highlights the significant security risks associated with compromises in the supply chain of Android devices.
A recent investigation revealed over 160,000 unique IP addresses communicating with BADBOX command-and-control servers daily. These infections are concentrated in countries like Russia, China, India, Brazil, Belarus, and Ukraine. The BADBOX malware is believed to originate from the Triada family of Android malware, known for its stealth. Once activated, infected devices are transformed into residential proxies, enabling cybercriminals to route internet traffic through them for illegal activities and ad fraud. Recommended read:
References :
CISO2CISO Editor 2@ciso2ciso.com
//
Google is introducing a new security feature called Identity Check for Android devices to combat theft. This feature locks sensitive settings, such as device and account passwords, behind biometric authentication when outside a trusted location. This prevents thieves from making unauthorized changes even if they possess the device's passcode. The intent is to safeguard user data and improve overall device security.
Identity Check requires biometric verification for accessing sensitive areas like performing factory resets, changing screen locks, adding new fingerprints, and disabling ‘Find My Device’. It also protects access to developer options and Google Password Manager. Initially, the feature will roll out to Samsung Galaxy devices eligible for One UI 7, both as part of the new OS and potentially on older versions in the near future. Non-Samsung users will receive the security update later in the year. Recommended read:
References :
|