All news with #android tag

DroidLock Android Malware Locks Devices, Demands Ransom

🔒 Zimperium researchers uncovered a new Android malware family called DroidLock that locks victims’ screens, steals messages and call data, and can remotely control devices via VNC. The threat targets Spanish-speaking users and is distributed through malicious websites that impersonate legitimate apps and deliver a dropper which installs a secondary payload. The payload requests Device Admin and Accessibility privileges to perform actions such as wiping devices, changing lock credentials, recording audio, starting the camera, and placing overlays that capture lock patterns. Operators serve a ransom WebView directing victims to contact a Proton email and threaten permanent file destruction within 24 hours if unpaid.

Further Hardening of Mali GPU Drivers with SELinux

🔒 Google’s Android Security and Privacy team collaborated with Arm to analyze the Mali GPU driver and implement SELinux-based IOCTL filtering that reduces the kernel driver's attack surface. The team categorized IOCTLs as unprivileged, instrumentation, and restricted, and used a staged rollout—first opt-in testing via a gpu_harden attribute, then opt-out with a gpu_debug domain—to validate behavior in real devices. The post provides step-by-step guidance for vendors to adopt a platform-level macro, define device-specific IOCTL lists, and enforce policy to keep deprecated and debug IOCTLs unreachable in production.

ClayRat Android Spyware Upgraded with Greater Control

🔒 A new version of the ClayRat Android spyware significantly expands surveillance and device-control features, researchers at Zimperium report. The campaign now pairs Default SMS privileges with aggressive abuse of Accessibility Services to enable a keylogger that captures PINs, passwords and unlock patterns, full-screen recording via the MediaProjection API, deceptive overlays and automated taps that hinder removal. Over 700 unique APKs and more than 25 active phishing domains — including impersonations of video platforms and car apps — have been observed distributing the malware.

Android FvncBot, SeedSnatcher, and ClayRat Upgrades Evolved

📱 Cybersecurity researchers disclosed two new Android malware families (FvncBot, SeedSnatcher) and an upgraded ClayRat with expanded data-theft features. Reported by Intel 471, CYFIRMA, and Zimperium, the samples abuse Android accessibility services and MediaProjection to harvest keystrokes, stream screens, install overlays, and exfiltrate credentials. FvncBot targets Polish banking users and implements HVNC, web-injects, and keylogging; SeedSnatcher focuses on stealing cryptocurrency seed phrases and 2FA via SMS interception. These threats enable persistent device takeover and credential theft.

Intellexa Predator Leaks Reveal Zero-Days and Ad Abuse

🔎 Amnesty International reports a Pakistani human rights lawyer received a WhatsApp link tied to a Predator 1-click attempt, the first known targeting of Balochistan civil society by Intellexa's spyware. Jointly published leaks and vendor analyses show Predator (also marketed as Helios, Nova and Green Arrow) used messaging, ad-based and ISP-assisted vectors plus multiple zero-day exploits to install surveillance payloads. Google Threat Intelligence Group mapped numerous V8, WebKit, Android kernel and other CVEs to the campaign and documented a modular iOS exploitation framework named JSKit and a post-exploitation payload called PREYHUNTER. The disclosures raise urgent questions about exploit sourcing, customer access to logs, and human rights due diligence.

GoldFactory Targets SE Asia with Modified Banking Apps

🛡️ Group-IB says the financially motivated actor GoldFactory has launched a new campaign across Indonesia, Thailand, and Vietnam, distributing modified Android banking apps that serve as droppers for remote‑access trojans. The campaign, active since October 2024 and linked to activity as far back as June 2023, relies on phone-based social engineering and messaging apps like Zalo to direct victims to fake Play Store landing pages. Injected modules preserve normal banking functionality while hooking app logic to bypass security checks, abuse accessibility services, and exfiltrate credentials and account balances.

Google Extends Android In-Call Scam Protection to US Banks

🔒 Google is expanding its Android in-call scam protection to cover several U.S. financial apps, including Cash App and the JPMorgan Chase mobile banking app. The feature, introduced with Android 16, warns users when they launch a financial app while sharing their screen during a call with an unknown number, presenting a persistent 30-second alert that only allows ending the call. The protection runs on Android 11 and later and remains in a testing phase.

Android expands in-call scam protection to banks and fintech

🔒 Android is expanding its pilot for in-call scam protection that detects when users launch participating financial apps while screen sharing during calls from unsaved numbers. The feature warns users, offers a one-tap end-call and stop-sharing option, and enforces a 30-second pause to disrupt social engineering. After UK success and pilots in Brazil and India, Google is rolling pilots with US fintechs including Cash App and banks like JPMorganChase.

Brazil Hit by WhatsApp Worm and RelayNFC Fraud Campaign

🔒 Water Saci has shifted to a layered infection chain that uses HTA files and malicious PDFs delivered via WhatsApp to deploy a banking trojan in Brazil. The actors moved from PowerShell to a Python-based worm that propagates through WhatsApp Web, while an MSI/AutoIt installer and process-hollowing techniques load the trojan only on Portuguese (Brazil) systems. Trend Micro links the behavior to Casbaneiro-style features and notes possible use of code-translation or AI tools to port scripts. In parallel, a React Native Android strain named RelayNFC executes real-time NFC APDU relays to enable contactless payment fraud.

Google fixes two Android zero-days, 107 vulnerabilities

🔒 Google released its December 2025 Android security bulletin addressing 107 vulnerabilities, including two zero-days (CVE-2025-48633 and CVE-2025-48572) that are reported to be under limited targeted exploitation. The flaws affect Android 13–16 and include information-disclosure and privilege‑escalation issues; the most critical fix this month is CVE-2025-48631 (DoS). Updates also include critical kernel fixes for Qualcomm and closed‑source vendors, and Samsung has ported fixes. Users should apply updates, keep Play Protect active, or move to supported builds.

CISA Adds Two Android Vulnerabilities to KEV Catalog

⚠️ CISA added two Android Framework vulnerabilities to the KEV Catalog: CVE-2025-48572 (privilege escalation) and CVE-2025-48633 (information disclosure). Both issues show evidence of active exploitation and pose significant risk to the federal enterprise. Under BOD 22-01, FCEB agencies must remediate cataloged vulnerabilities by their due dates; CISA strongly urges all organizations to prioritize timely patching and other mitigations.

Google patches 107 Android zero-days and critical flaws

🔒 In its December Android Security Bulletin, Google disclosed 107 zero-day vulnerabilities affecting Android and AOSP-based systems, publishing fixes for 51 issues on December 1 and promising the remaining 56 on December 5. Among the patched flaws, two high-severity framework bugs (CVE-2025-48633 and CVE-2025-48572) may be under limited targeted exploitation and affect Android 13–16. The bulletin also lists a critical framework vulnerability (CVE-2025-48631) that can cause a remote denial-of-service without additional privileges. Patches for kernel and third-party components from vendors such as Arm, MediaTek, Qualcomm and others will follow.

Google Issues December Patch for 107 Android Flaws

🔒 Google released its December 2025 Android security update addressing 107 vulnerabilities across Framework, System, Kernel and components from Arm, Imagination Technologies, MediaTek, Qualcomm, and Unison. Two high-severity Framework defects — CVE-2025-48633 (information disclosure) and CVE-2025-48572 (privilege elevation) — are reported as exploited in the wild. A separate critical Framework issue, CVE-2025-48631, could enable remote DoS without added privileges. Google published two patch levels, 2025-12-01 and 2025-12-05, and users should update promptly when vendors release device-specific builds.

Albiriox Android MaaS Targets 400+ Banking and Wallet Apps

📱 Cleafy researchers disclosed Albiriox, a new Android malware offered as a malware‑as‑a‑service that facilitates on‑device fraud, screen manipulation, and real‑time remote control. The family includes a hard‑coded list of over 400 banking, fintech, payment processor, exchange and wallet apps and is distributed via packed droppers and lookalike Google Play pages using social‑engineering lures. Infections often begin with German‑language SMS or fake PENNY app listings that deliver a dropper APK which requests installation permissions and then deploys the main payload. Albiriox uses an unencrypted TCP C2 and a VNC‑based remote module that abuses Android accessibility services to stream UI elements and bypass FLAG_SECURE, enabling overlays, credential harvesting, and hidden background fraud.

CISA: Active Spyware Campaigns Target Messaging Apps

🔐CISA warns that threat actors are actively using commercial spyware and remote-access trojans to target users of mobile messaging apps, combining technical exploits with tailored social engineering to gain unauthorized access. Recent campaigns include abuse of Signal's linked-device feature, Android spyware families ProSpy, ToSpy and ClayRat, a chained iOS/WhatsApp exploit (CVE-2025-43300, CVE-2025-55177) targeting a small number of users, and a Samsung flaw (CVE-2025-21042) used to deliver LANDFALL. CISA urges high-value individuals and organizations to adopt layered defenses: E2EE, FIDO phishing-resistant MFA instead of SMS, password managers, device updates, platform hardening (Lockdown Mode, iCloud Private Relay, app-permission audits, Google Play Protect), and to prefer modern hardware from vendors with strong security records.

GhostAd: Hidden Google Play Adware Draining Devices

🔍 Check Point's Harmony Mobile Detection Team discovered a broad Android adware campaign on Google Play that operated as a persistent background advertising engine. Masquerading as benign utilities and emoji editors, the apps continued running after closure or reboot, quietly consuming battery and mobile data. The campaign, dubbed GhostAd, comprised at least 15 related apps, with five still available at discovery.

Google Adds AirDrop Compatibility to Quick Share on Pixel 10

📡 Google updated Quick Share to interoperate with Apple's AirDrop, enabling direct file transfers between Pixel 10 devices and iPhone, iPad, and macOS. Transfers require the Apple device to be discoverable to Everyone for 10 minutes, while Android users must set Quick Share visibility to Everyone or use Receive mode. Google said the implementation is built in memory-safe Rust, avoids routing data through servers, and was independently assessed and hardened after a low-severity information-disclosure issue was fixed.

Android Quick Share Interoperability with AirDrop Security

🔒 Google announced cross-platform file sharing between Android and iOS by making Quick Share interoperable with AirDrop, beginning with the Pixel 10 Family. The company emphasizes a "secure by design" approach that included threat modeling, internal security and privacy reviews, and in-house penetration testing. The interoperability layer is implemented in Rust to reduce memory-safety risks in parsing wireless data, and transfers are direct peer‑to‑peer without routing content through servers. Google also engaged third‑party testers and experts who validated the implementation and found no information leakage.

Sturnus Android Banking Trojan Targets Southern Europe

🛡️ ThreatFabric has detailed a new Android banking trojan named Sturnus that combines screen-capture, accessibility abuse, and overlays to steal credentials and enable full device takeover. The malware captures decrypted messages from WhatsApp, Telegram, and Signal by recording the device screen, serves region-specific fake banking login screens, and contacts operator servers via WebSocket/HTTP to receive encrypted payloads and enable remote VNC-style control. It resists cleanup by blocking uninstallation and leveraging administrator privileges.

Sturnus Android Trojan Steals Messages and Controls Devices

🔒Sturnus is a new Android banking trojan discovered by ThreatFabric that can capture decrypted messages from end-to-end encrypted apps like Signal, WhatsApp, and Telegram. It abuses Accessibility services and on-screen capture to read message content and deploys HTML overlays to harvest banking credentials. The malware also supports real-time, AES-encrypted VNC remote control and obtains Android Device Administrator privileges to resist removal while targeting European financial customers with region-specific overlays.