CyberSecurity news

FlagThis - #android

info@thehackernews.com (The@The Hacker News //
North Korea-linked APT group ScarCruft has been identified deploying a new Android spyware dubbed KoSpy, targeting Korean and English-speaking users. The spyware was distributed through fake utility apps on the Google Play Store and third-party app stores like APKPure. At least five malicious applications, masquerading as File Manager, Phone Manager, Smart Manager, Software Update Utility, and Kakao Security, were used to trick users into installing the spyware onto their devices.

The malicious apps offer the promised functionality to avoid raising suspicion while stealthily deploying spyware-related components in the background. The spyware is designed to collect a wide range of data from compromised devices, including SMS messages, call logs, device location, files in local storage, screenshots, keystrokes, Wi-Fi network information, and the list of installed applications. It's also equipped to record audio and take photos. The apps have since been removed from the app marketplace.

Recommended read:
References :
  • infosec.exchange: NEW: North Korean government hackers snuck spyware onto the official Android app store, and tricked a few people to download it, according to Lookout.
  • techcrunch.com: North Korean government hackers snuck spyware on Android app store
  • The DefendOps Diaries: KoSpy: Unmasking the North Korean Spyware Threat
  • PCMag UK security: Suspected North Korean Hackers Infiltrate Google Play With 'KoSpy' Spyware
  • BleepingComputer: New North Korean Android spyware slips onto Google Play
  • bsky.app: A new Android spyware named 'KoSpy' is linked to North Korean threat actors who have infiltrated Google Play and third-party app store APKPure through at least five malicious apps. https://www.bleepingcomputer.com/news/security/new-north-korean-android-spyware-slips-onto-google-play/
  • The Record: A North Korean nation-state group tracked as APT37 or ScarCruft placed infected utilities in Android app stores as part of an espionage campaign, according to researchers
  • www.scworld.com: Android spyware ‘KoSpy’ spread by suspected North Korean APT
  • securityaffairs.com: North Korea-linked APT group ScarCruft spotted using new Android spyware KoSpy
  • bsky.app: A new Android spyware named 'KoSpy' is linked to North Korean threat actors who have infiltrated Google Play and third-party app store APKPure through at least five malicious apps.
  • The Hacker News: The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting Korean and English-speaking users.
  • securityonline.info: North Korea’s APT ScarCruft Places Spyware on Google Play
  • securityaffairs.com: North Korea-linked APT group ScarCruft used a new Android spyware dubbed KoSpy to target Korean and English-speaking users.
  • Secure Bulletin: New Android spyware “KoSpyâ€� linked to North Korean APT37
  • securityonline.info: North Korean ScarCruft APT Targets Users with Novel KoSpy Android Spyware
  • Carly Page: North Korean-linked hackers uploaded Android spyware to Google Play. The spyware, which collects an “extensive amountâ€� of sensitive data, was downloaded more than 10 times before Google removed it, according to Lookout

Deeba Ahmed@hackread.com //
A new wave of Android malware campaigns are exploiting Microsoft’s .NET MAUI framework to target users, particularly in India and China. Cybersecurity researchers at McAfee Labs have identified these malicious applications, which disguise themselves as legitimate services like banking and social media apps, to steal sensitive user information. These fake apps, collectively codenamed FakeApp, are not distributed through official channels like Google Play, but rather through bogus links sent via messaging apps and unofficial app stores. .NET MAUI, designed as a cross-platform development framework, allows these threats to conceal malicious code, making them difficult to detect by traditional antivirus solutions.

Researchers have found that the malware's core functionalities are written entirely in C# and stored as binary large objects, evading detection methods that typically analyze DEX files or native libraries. For instance, a fraudulent banking app impersonates IndusInd Bank, targeting Indian users by prompting them to enter personal and financial details, which are then sent to the attacker's command-and-control server. Another instance involves a fake social networking service app aimed at Chinese-speaking users, employing multi-stage dynamic loading to decrypt and execute its payload in separate stages, further complicating analysis and disrupting security tools.

Recommended read:
References :
  • hackread.com: Hackers Are Using Microsoft’s .NET MAUI to Spread Android Malware
  • securityaffairs.com: Android malware campaigns use .NET MAUI to evade detection
  • The DefendOps Diaries: Understanding the Threat: How .NET MAUI is Changing Android Malware
  • thehackernews.com: Hackers Use .NET MAUI to Target Indian and Chinese Users with Fake Banking, Social Apps
  • www.infosecurity-magazine.com: New Android Malware Uses .NET MAUI to Evade Detection
  • securityonline.info: New Android Malware Campaign Uses .NET MAUI to Evade Detection
  • Security Risk Advisors: 🚩New Android Malware Campaign Exploits .NET MAUI Framework to Steal Sensitive Data
  • MSSP feed for Latest: Threat actors exploited Microsoft's .NET MAUI cross-platform development framework to craft fake apps in new Android malware campaigns.
  • Virus Bulletin: McAfee's Mobile Research Team discovered an Android malware campaign abusing .NET MAUI, a cross-platform development framework, to evade detection and remain active on devices for a long time.
  • BleepingComputer: New Android malware campaigns use Microsoft's cross-platform framework .NET MAUI while disguising as legitimate services to evade detection.
  • Security | TechRepublic: Android Malware Exploits a Microsoft-Related Security Blind Spot to Avoid Detection

Pierluigi Paganini@Security Affairs //
Google has released the March 2025 Android Security Bulletin, which addresses 44 vulnerabilities. Notably, the update includes patches for two zero-day flaws, identified as CVE-2024-43093 and CVE-2024-50302, that are actively being exploited in the wild. The high-severity vulnerability CVE-2024-43093 is a privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories. CVE-2024-50302 is also a privilege escalation flaw in the HID USB component of the Linux kernel that could lead to a leak of uninitialized kernel memory to a local attacker through specially crafted HID reports.

This security update arrives after reports surfaced that Serbian authorities used one of these zero-day vulnerabilities to unlock confiscated devices. Google acknowledged that both CVE-2024-43093 and CVE-2024-50302 have come under "limited, targeted exploitation." The company has released two security patch levels to allow Android partners flexibility in addressing vulnerabilities across devices more quickly. The security patch levels are 2025-03-01 and 2025-03-05.

Recommended read:
References :
  • securityaffairs.com: Reports the release of Google's March 2025 Android security update, which addresses actively exploited zero-day vulnerabilities.
  • cyberinsider.com: Google Patches Two Actively Exploited Zero-Day Flaws in Android
  • The Hacker News: Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities.
  • bsky.app: Google has released patches for 43 vulnerabilities in Android's March 2025 security update, including two zero-days. Serbian authorities have used one of the zero-days to unlock confiscated devices.
  • Information Security Buzz: Google Issues Urgent Alert for Exploited Android Vulnerabilities

info@thehackernews.com (The@The Hacker News //
A new Android malware campaign, potentially linked to previous attacks targeting Indian military personnel, has been identified focusing on users in Taiwan. The malware, known as PJobRAT, is an Android Remote Access Trojan (RAT) that steals sensitive data. It operates by disguising itself as legitimate chat applications, tricking users into installation. Once installed, PJobRAT can extract SMS messages, phone contacts, device information, documents, and media files from infected devices, enabling deep surveillance and remote control.

Researchers at Sophos X-Ops uncovered this recent campaign, observing activity from January 2023 to October 2024. The malicious chat apps, named SangaalLite and CChat, were distributed through compromised WordPress sites. While this particular campaign may be paused, it illustrates that threat actors often retool and retarget after an initial campaign, improving their malware and adjusting their approach before striking again. Users are advised to avoid installing apps from untrusted sources and employ mobile security solutions for protection.

Recommended read:
References :
  • ciso2ciso.com: PJobRAT Malware Campaign Targeted Taiwanese Users via Fake Chat Apps – Source:thehackernews.com
  • The Hacker News: An Android malware family previously observed targeting Indian military personnel has been linked to a new campaign likely aimed at users in Taiwan under the guise of chat apps.
  • www.infosecurity-magazine.com: PJobRAT malware targets Taiwan Android users, stealing data through fake messaging platforms
  • Sophos X-Ops: Back in 2021, researchers reported on PJobRAT, an Android RAT targeting Indian military personnel by imitating various dating and instant messaging apps. After that, everything seemed to go quiet. But during a recent threat hunt, Sophos X-Ops researchers uncovered a more recent PJobRAT campaign appearing to target users in Taiwan – the earliest sample being Jan 2023, and the most recent in October 2024.
  • Cyber Security News: Sophos X-Ops researchers have uncovered a new campaign involving PJobRAT, an Android Remote Access Trojan (RAT) first observed in 2019. This latest iteration, which appeared to target users in Taiwan, disguised itself as instant messaging apps such as ‘SangaalLite’ and ‘CChat’.
  • gbhackers.com: PJobRAT, an Android Remote Access Trojan (RAT) first identified in 2019, has resurfaced in a new campaign targeting users in Taiwan.

@techcrunch.com //
Italian spyware maker SIO is distributing malicious Android applications that masquerade as popular apps like WhatsApp. According to an exclusive report by TechCrunch, the spyware, dubbed "Spyrtacus," is designed to steal private data from a target's device. Researchers have linked this spyware campaign to SIO, a company that claims to partner with law enforcement agencies, government organizations, police, and intelligence agencies, including the Italian government.

The spyware campaign involves distributing malicious Android apps disguised as popular applications and cellphone provider tools. Security researchers at Lookout identified the spyware as "Spyrtacus" after finding the term in the code of an older malware sample. Spyrtacus possesses capabilities typical of government spyware, including the ability to steal text messages, chats from various messaging platforms, exfiltrate contacts, and record phone calls and ambient audio. At this time, the identities of the spyware targets and victims remain unknown.

Recommended read:
References :
  • infosec.exchange: NEW: We caught another government spyware vendor, which made fake Android apps masquerading as WhatsApp and cellphone providers' apps. The spyware, called Spyrtacus, was made by SIO. The company says on its official website that it partners "Law Enforcement Agencies, Government Organizations, Police and Intelligence Agencies," and sells to Italian government. At this point, we don't have information on who were the spyware targets and victims.
  • Zack Whittaker: Incredible reporting by , who caught an Android spyware campaign in the wild. The spyware, dubbed "Spyrtacus," masquerades as popular apps like WhatsApp, but steals victims' phone data. Researchers linked the spyware to Italian firm SIO.
  • Pietro395 :proton: ??: Italian spyware maker SIO, known to sell its products to government customers, is behind a series of malicious Android apps that masquerade as WhatsApp and other popular apps but steal private data from a target’s device, TechCrunch has exclusively learned.
  • techcrunch.com: Spyware maker caught distributing malicious Android apps for years
  • infosec.exchange: NEW: We caught another government spyware vendor, which made fake Android apps masquerading as WhatsApp and cellphone providers' apps.
  • techcrunch.com: Spyware maker caught distributing malicious Android apps for years
  • Techmeme: Sources: Italian spyware maker SIO created malicious Android apps that masquerade as WhatsApp and other apps; a researcher says they were likely used in Italy (Lorenzo Franceschi-Bicchierai/TechCrunch)
  • www.dday.it: Very nice find (in 🇮🇹) by tech site Digital Day. Spyware maker SIO attempted to sell Spyrtacus through an intermediary to an Italian prosecutor's office in Sicily, but was rejected because law says the owner of the product is the one that must apply to the tender.

Zimperium@Zimperium //
Zimperium, a mobile security firm, has issued a warning about the persistent and evolving threat that rooted and jailbroken mobile devices pose to enterprises. Their recent report highlights that these compromised devices, which bypass security protocols, make organizations increasingly vulnerable to mobile malware, data breaches, and full system compromises. According to Zimperium's research, rooted Android devices are significantly more susceptible to security incidents, with a 3.5 times greater likelihood of malware attacks and a staggering 250 times higher risk of system compromise.

Rooting and jailbreaking, initially used for device customization, grant users full control but remove crucial security protections. This allows the installation of apps from unverified sources, disabling security features, and modifying system files, making them prime targets for cybercriminals. Hackers are continuously developing sophisticated toolkits, such as Magisk and APatch, to hide their presence and evade detection. These tools employ techniques like "systemless" rooting and on-the-fly kernel memory modification, making it increasingly difficult for cybersecurity researchers to identify compromised devices before they inflict damage, emphasizing the need for constant monitoring and updated security measures.

Recommended read:
References :
  • hackread.com: A new Zimperium report reveals that rooted Android phones and jailbroken iOS devices face growing threats, with advanced toolkits making detection nearly impossible for cybersecurity researchers.
  • www.scworld.com: Rooted, jailbroken mobile devices pose security risk to organizations
  • Zimperium: Zimperium warns that mobile rooting and jailbreaking remain a persistent and evolving threat to enterprises worldwide. The post appeared first on .
  • ai-techpark.com: AI-TechPark : Zimperium Warns of Ongoing Threats from Rooting, Jailbreaking

info@thehackernews.com (The Hacker News)@The Hacker News //
Google has released the February 2025 Android security updates, patching a total of 48 vulnerabilities. Among these fixes is a critical zero-day kernel vulnerability, identified as CVE-2024-53104, which Google has confirmed is being actively exploited in the wild. This particular flaw is a privilege escalation issue found within the USB Video Class (UVC) driver, potentially allowing attackers to gain elevated permissions on affected devices.

The vulnerability, with a CVSS score of 7.8, stems from an out-of-bounds write condition within the "uvc_parse_format()" function of the "uvc_driver.c" program, specifically when parsing UVC_VS_UNDEFINED frames. This flaw, present since Linux kernel version 2.6.26 released in mid-2008, could lead to memory corruption, program crashes, or even arbitrary code execution. While the specific actors behind the exploitation remain unclear, the potential for "physical" privilege escalation raises concerns about misuse by forensic data extraction tools.

Recommended read:
References :
  • cyberinsider.com: Google Fixes Zero-Day Flaw Exploited in Targeted Android Attacks
  • BleepingComputer: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.
  • securityaffairs.com: Google fixed actively exploited kernel zero-day flaw
  • The Hacker News: Google Patches 47 Android Security Flaws, Including Actively Exploited CVE-2024-53104
  • CyberInsider: Google Fixes Zero-Day Flaw Exploited in Targeted Android Attacks
  • ciso2ciso.com: Google fixed actively exploited kernel zero-day flaw
  • BleepingComputer: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.
  • Pyrzout :vm:: Social post about google actively exploited kernel zero-day flaw.
  • www.bleepingcomputer.com: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.

@www.silentpush.com //
References: gbhackers.com , hackread.com ,
A sophisticated phishing campaign, suspected to be backed by Russian Intelligence Services, has been uncovered targeting individuals sympathetic to Ukraine, including Russian citizens and informants. The operation involves creating fake websites impersonating organizations such as the CIA, the Russian Volunteer Corps (RVC), Legion Liberty, and "Hochuzhit" ("I Want to Live"), an appeals hotline for Russian service members operated by Ukrainian intelligence. These deceptive sites aim to collect personal information from unsuspecting visitors, exploiting anti-war sentiment within Russia, where such activities are illegal and punishable by law.

Researchers at Silent Push discovered four distinct phishing clusters using tactics such as static HTML, JavaScript, and Google Forms to steal data. The threat actors are utilizing a bulletproof hosting provider, Nybula LLC, to host the fake websites, which are designed to mimic legitimate organizations. The goal is to gather intelligence and potentially identify dissidents within Russia. The campaign highlights the ongoing digital dimension of the Russia-Ukraine conflict and underscores the need for increased vigilance and improved digital hygiene among potential targets.

Recommended read:
References :
  • gbhackers.com: reports on the Russian attempts to steal Ukraine Defense Intelligence data
  • hackread.com: Russian Phishing Uses Fake CIA Sites to Target Anti-war, Ukraine Supporters
  • www.silentpush.com: Russian Intelligence Service-backed Campaigns Impersonate the CIA to Target Ukraine Sympathizers, Russian Citizens and Informants

Mandvi@Cyber Security News //
A critical zero-day vulnerability, dubbed EvilLoader, has been discovered in Telegram for Android by security researcher 0x6rss. This exploit allows attackers to disguise malicious APK files as video files, potentially leading to unauthorized malware installations on users' devices. The vulnerability exploits Telegram's file handling mechanism, tricking the app into treating HTML files with .mp4 extensions as legitimate video files, even though the file is not a video file.

When a user attempts to play these crafted "videos," Telegram prompts them to open the file in an external application, potentially leading to the installation of malicious software. For the attack to succeed, users must click the embedded link multiple times, disable Android’s security restriction on installing apps from unknown sources, and proceed with the installation. The file facilitating this attack has been available for sale on underground hacker forums.

Recommended read:
References :
  • Cyber Security News: A critical zero-day vulnerability in Telegram for Android, dubbed EvilLoader, has been discovered by security researcher 0x6rss. This exploit allows attackers to disguise malicious APKs as video files, potentially leading to unauthorized malware installations on users’ devices.
  • WeLiveSecurity: ESET researchers discuss how they uncovered a zero-day Telegram for Android exploit that allowed attackers to send malicious files posing as videos
  • securityonline.info: Telegram’s EvilLoader: Hackers Exploit Video Flaw Again

@securityonline.info //
The BADBOX botnet has infected over 190,000 Android devices, including high-end products like Yandex 4K QLED TVs. This botnet's widespread infection is attributed to supply chain vulnerabilities, potentially involving pre-installed malware embedded during the manufacturing or distribution phases. This discovery highlights the significant security risks associated with compromises in the supply chain of Android devices.

A recent investigation revealed over 160,000 unique IP addresses communicating with BADBOX command-and-control servers daily. These infections are concentrated in countries like Russia, China, India, Brazil, Belarus, and Ukraine. The BADBOX malware is believed to originate from the Triada family of Android malware, known for its stealth. Once activated, infected devices are transformed into residential proxies, enabling cybercriminals to route internet traffic through them for illegal activities and ad fraud.

Recommended read:
References :
  • Cyber Security News: CyberPress article about the BADBOX botnet infection of Android devices, including LED TVs.
  • gbhackers.com: GBHackers article reporting on the BADBOX botnet.
  • securityonline.info: Security Online article on the BADBOX botnet infecting Android devices with pre-installed malware.
  • cyberpress.org: Cyberpress.org article on BADBOX botnet and the affected devices.
  • securityonline.info: SecurityOnline article about BADBOX botnet and pre-installed malware targeting Android devices.
  • gbhackers.com: The BADBOX botnet, a sophisticated malware operation targeting Android-based devices, has now infected over 192,000 systems globally.

CISO2CISO Editor 2@ciso2ciso.com //
Google is introducing a new security feature called Identity Check for Android devices to combat theft. This feature locks sensitive settings, such as device and account passwords, behind biometric authentication when outside a trusted location. This prevents thieves from making unauthorized changes even if they possess the device's passcode. The intent is to safeguard user data and improve overall device security.

Identity Check requires biometric verification for accessing sensitive areas like performing factory resets, changing screen locks, adding new fingerprints, and disabling ‘Find My Device’. It also protects access to developer options and Google Password Manager. Initially, the feature will roll out to Samsung Galaxy devices eligible for One UI 7, both as part of the new OS and potentially on older versions in the near future. Non-Samsung users will receive the security update later in the year.

Recommended read:
References :
  • ciso2ciso.com: Android enhances theft protection with Identity Check and expanded features – Source:security.googleblog.com
  • discuss.privacyguides.net: New Android Identity Check locks settings outside trusted locations
  • AAKL: Android's New Identity Check Feature Locks Device Settings Outside Trusted Locations Google announcement:
  • Pyrzout :vm:: Android enhances theft protection with Identity Check and expanded features – Source:security.googleblog.com
  • security.googleblog.com: Android's New Identity Check Feature Locks Device Settings Outside Trusted Locations Google announcement:
  • BleepingComputer: Google has announced a new Android "Identity Check" security feature that lock sensitive settings behind biometric authentication when outside a trusted location.
  • www.bleepingcomputer.com: New Android Identity Check locks settings outside trusted locations
  • ciso2ciso.com: Android improves theft protection with Identity Check and additional features.
  • The Hacker News: Discussion of Android's new Identity Check feature and improved device security.