All news with #mobile security tag

📱 Zimperium's zLabs uncovered a 10-month Android malware campaign that used nearly 250 fake apps to enroll victims in premium carrier billing services across Malaysia, Thailand, Romania and Croatia. The operation, running from March 2025 to January 2026, included three variants that ranged from cookie- and SMS-harvesting to a fully automated subscription flow against DiGi. The most advanced variant abused Google's SMS Retriever API, forced traffic onto cellular, loaded hidden carrier billing pages and intercepted one‑time passwords. Users are advised to avoid sideloading apps, verify installed apps and review mobile bills for unexplained charges.

📈 Digital.ai's 2026 Application Security Threat Report found that 87% of monitored customer-facing apps were attacked in 2026, up sharply from 55% in 2022. The firm says agentic AI has lowered the skill and time required for threat actors to inspect code, generate exploits and adapt malware. Financial services, automotive and medical device apps were most targeted, and iOS attacks have nearly closed the gap with Android.

🔐 Google has added Android Intrusion Logging, released on May 12 as part of Android Advanced Protection Mode, to help investigate spyware on Android devices. The opt-in feature logs device and network activity and was developed with Amnesty International’s Security Lab and Reporters Without Borders. Logs are encrypted with a user-generated key and can only be shared by the device owner for forensic analysis.

🔐 Intrusion Logging is an opt-in feature in Android's Advanced Protection Mode that records daily device and network activity to support forensic investigations. Developed with Amnesty International and Reporters Without Borders, it captures app launches, installs, network connections, USB file transfers, certificate changes, and lock/unlock events. Logs are end-to-end encrypted on the device, stored on Google servers for 12 months, and cannot be deleted early; users may download decrypted logs for external review but remain responsible for their security.

🔒Android 17, rolling out next month, expands security and privacy features to combat device theft, enhance threat detection, and block banking scam calls. The OS will work with banking apps to verify caller authenticity via app-level queries and bank-provided number lists, and will automatically terminate suspected scam calls. Initial partners include Revolut, Itaú Unibanco, and Nubank, and Google plans support back to Android 11. The release also broadens Live Threat Detection, strengthens Advanced Protection, and adds biometric Mark as lost locking and other anti-theft measures.

🔐 Apple released iOS 26.5, adding beta support to enable end-to-end encryption for RCS messages across iPhone and Android devices when used with supported carriers and the latest Google Messages. The feature is enabled by default for new and existing conversations and displays a lock icon to indicate encryption. Apple and GSMA say this is part of a cross‑industry effort to modernize SMS. The update also patches over 50 vulnerabilities in iOS and iPadOS.

🔍 Cybersecurity researchers uncovered 28 fraudulent Android apps on the official Google Play Store that claimed to show call, SMS and WhatsApp histories for any number but instead pushed paid subscriptions that delivered fabricated, hard‑coded data. The apps, labeled CallPhantom by ESET, amassed over 7.3 million downloads—one exceeded 3 million—primarily targeting users in India and the Asia‑Pacific region before removal. Payments were processed via Google Play billing, UPI apps (including Google Pay, PhonePe and Paytm), or in‑app card forms, limiting refund options for non‑Play transactions. The apps requested few permissions, used simple UIs and even displayed deceptive notifications to coerce payments.

🚨 DarkSword is a newly identified iOS full-chain exploit that chained multiple zero-day vulnerabilities to achieve full device compromise. Google Threat Intelligence Group (GTIG) links the chain to commercial surveillance vendors and suspected state-sponsored operators active since at least November 2025, with observed targeting in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit supports iOS 18.4–18.7 and installs one of three final-stage payload families—GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER. A version leaked online a week after discovery; ensure devices are patched promptly.

⚠️ ESET reports that the North Korea‑aligned threat group ScarCruft compromised the sqgame[.]net gaming platform in a targeted supply‑chain operation to deploy the BirdCall backdoor to Android and Windows users. The compromise, active since late 2024, trojanized Android APKs for two games and delivered a malicious Windows update DLL that used RokRAT as a loader. BirdCall — an evolution of RokRAT — harvests contacts, SMS, call logs, media, screenshots, keystrokes and ambient audio, and leverages legitimate cloud services for command‑and‑control.

📱 ESET researchers report that North Korean-linked APT37 (ScarCruft) developed an Android variant of the BirdCall backdoor and distributed it through trojanized APKs on the sqgame.net game platform. The Android implant, first seen around October 2024 and produced in at least seven variants, collects contacts, call logs, SMS, device identifiers, location and system metrics, takes periodic screenshots, records audio during evening hours, and exfiltrates targeted files to a C2. The campaign focused on users in the Yanbian region and underscores ScarCruft’s continued use of supply-chain tactics; users are advised to download apps only from official marketplaces and trusted publishers.

⚠️ Researchers uncovered a large-scale fraud operation leveraging Telegram Mini Apps to run crypto scams and distribute Android malware. The infrastructure, identified by the FEMITBOT API string, uses Telegram bots to launch embedded Mini Apps that present phishing pages inside the app's WebView and impersonate well-known brands. Campaigns display fake dashboards, countdowns, and withdrawal prompts that demand deposits or referrals, and some prompt users to download APKs hosted on the same domains to avoid mixed-content warnings; Android users should not sideload APKs and should be cautious with bots asking for funds or app installs.

📡 Modern cars act as mobile computers that log and transmit extensive telemetry to manufacturers and third parties. Law enforcement increasingly uses Car Intelligence (CARINT) tools and vendor solutions such as Ateros, Berla, and Toka to extract GPS histories, call logs, paired-device lists, and driving statistics — sometimes without warrants. Even sensor systems like unencrypted TPMS can enable low-cost tracking. Recommended mitigations include avoiding phone syncs, clearing head-unit data, disabling voice commands, and minimizing use of manufacturer apps.

🔒 Kaspersky researchers discovered a campaign that placed 26 fake crypto-wallet apps in the Chinese App Store, impersonating popular wallets and using benign features to pass review. The malicious apps direct users to phishing pages that prompt installation of a provisioning profile, enabling sideloaded, trojanized wallet builds that request seed phrases. On macOS, infostealers like MacSync use ClickFix lures and can patch legitimate wallet apps to display fake recovery dialogs. The report includes concrete mitigation steps to protect seed phrases and devices.

🔐 The FBI reportedly extracted copies of incoming Signal messages from an iPhone’s internal push notification database after the app was deleted. The extraction occurred during a criminal case where physical access allowed forensic tools to retrieve notification previews stored by iOS. The case underscores the privacy risk when message previews are enabled and the importance of disabling notification previews within Signal or device settings.

🔒 Apple released patches for iOS and iPadOS to fix a Notification Services logging flaw that could retain notifications marked for deletion. Tracked as CVE-2026-28950, the issue was addressed by improving data redaction so deleted alerts are no longer preserved. Affected models were fixed in iOS 26.4.2/iPadOS 26.4.2 and in iOS/iPadOS 18.7.8 for other devices. The update follows reporting that copies of Signal messages were forensically extracted from push notification storage.

💳 Cybercriminals have trojanized an Android NFC-relay application to capture contactless payment data and PINs, enabling cloning of cards and remote ATM cash-outs. ESET researchers report a new NGate malware variant was injected into the HandyPay app and distributed via a fake lottery site and a spoofed Google Play page targeting Android users in Brazil since November 2025. Traces in the injected code, including emoji markers in debug logs, led researchers to suspect use of generative AI, and ESET has published indicators and a MITRE ATT&CK mapping to aid detection.

📱 ESET has identified a new NGate variant that uses a trojanized version of the legitimate HandyPay NFC relay app to harvest payment card data and PINs. Distributed since November 2025 and focused on Brazil, the malicious app relays tapped NFC data to attacker-controlled devices to facilitate contactless fraud and ATM withdrawals. It requires minimal permissions by leveraging its role as the default payment application, helping it evade detection.

🔒 Zero Motorcycles firmware versions 44 and earlier contain a Bluetooth pairing flaw (CVE-2026-1354) that can allow an attacker to forcibly pair with a motorcycle while it is in pairing mode. Once paired and in proximity, an attacker could use over-the-air firmware update capability to upload malicious firmware. The motorcycle must remain paired and within range for the entire update. Zero recommends secure pairing practices, physical key security, and plans a firmware update in May 2026; users should install updates when available.

🔒 ESET researchers uncovered a NGate Android campaign that trojanized the HandyPay NFC relay app to steal contactless card data and capture PINs for fraudulent ATM withdrawals. The poisoned app, spread via fake Rio de Prêmios sites and a deceptive Play Store listing, asks to be set as the default payment app and prompts users to enter their card PIN before tapping their card. Artifacts including emoji-laden debug messages suggest parts of the injected code may have been generated or modified with a large language model.

🔒 ESET researchers discovered a new NGate malware variant that trojanized the legitimate HandyPay Android NFC-relay app, with injected code displaying artifacts consistent with GenAI-assisted development. The patched app silently forwards NFC payment card data and captures payment card PINs, exfiltrating them to attacker-controlled C&C infrastructure to enable contactless ATM cash-outs and unauthorized payments. Distribution targeted Android users in Brazil since November 2025 via a fake Rio de Prêmios lottery site and a counterfeit Google Play page; both samples were served from the same domain, indicating a single operator. ESET notified Google and the HandyPay developer; known samples are detected by Google Play Protect and ESET.