< ciso
brief />
Tag Banner

All news with #mobile security tag

205 articles

Study: 282 iOS Apps Expose LLM API Keys in Traffic

🔍 Researchers tested 444 iPhone AI chatbot apps and found 282 leaking paid AI access via network traffic, often as plaintext keys, reusable tokens, or unsecured backend relays. The team used a tool called LLMKeyLens to capture credentials without jailbreaking. Only 28% of affected apps were fixed after three months; many tokens remained valid and susceptible to costly misuse.
read more →

WhatsApp introduces usernames to protect phone numbers

🔒 WhatsApp is introducing reserved usernames so users can hide their phone numbers from people who are not in their contacts. The company says reservations are open now and the feature will roll out globally later this year, with an optional username key that others must know to message you for the first time. Users can change or delete reserved usernames, while certain names are reserved for governments, public figures, and businesses.
read more →

Google enforces developer verification on Android

🔒 Google will begin enforcing Android developer verification on September 30, 2026, in Brazil, Indonesia, Singapore, and Thailand. Certified devices from major OEMs will block normal installs of apps whose developers have not registered an identity with Google, affecting sideloaded and independent apps most. The Android Developer Verifier service rolls out to phones running Android 8+ starting June, with APIs and limited-distribution accounts arriving mid-year.
read more →

Rokarolla Android trojan targets 217 financial apps

🛡️ A new Android banking trojan called Rokarolla targets 217 banking and cryptocurrency apps and supports 137 commands. Distributed via malicious sites posing as Chrome or TikTok installers, it requests Accessibility and other sensitive permissions to gain near-complete control of infected devices. Researchers at Zimperium report it harvests SMS, contacts, keystrokes, screenshots, and lock-screen credentials while displaying phishing overlays and disabling protections like Google Play Protect.
read more →

UK to require ID or face scan for new social accounts

🔒 The UK will ban under-16s from social media and require age checks for new accounts, likely via ID upload or facial age scans, with regulations due before Christmas and rules effective spring 2027. Longstanding accounts are largely grandfathered, but new account creation will typically need verification. Experts warn checks are easy to circumvent, risk exposing ID/biometric data, and were pushed through with limited scrutiny. The government cites parental support and aims to restrict high-risk features and certain AI chatbot functions.
read more →

Rokarolla Android trojan isolates victims from banks

🔒 Researchers have detailed Rokarolla, an Android banking trojan that not only steals credentials but effectively seizes control of phones to isolate victims from banks. The malware spreads via fake sites posing as TikTok or Chrome and uses a dropper impersonating Google Play Protect to install a second-stage payload. Rokarolla abuses Android Accessibility Services, makes itself the default call and SMS handler, hides its icon, mutes alerts and captures screenshots and overlays fake login screens to harvest bank and crypto credentials.
read more →

NFCShare Android malware spreads via fake app updates

🛡️ New variants of the NFCShare Android malware are being distributed as fake updates for legitimate banking apps hosted on GitHub, targeting customers across Europe. The campaign tricks victims into performing an NFC ‘verification’ that captures card data and a 4-digit PIN via Android’s IsoDep interface, then exfiltrates it to a C2 server over WebSocket. D3Lab, which first documented NFCShare in January 2026, notes the malware uses malformed APK packaging to hinder automated analysis and that repositories have hosted dozens of spoofed banking APKs for Italian and Spanish banks.
read more →

Asin Android spyware targets Arabic-speaking users

🛡️ ESET has identified a new Android spyware family named Asin that targets Arabic-speaking users through multiple campaigns observed since early 2025. The malware was distributed via fake websites impersonating a government news source, a PDF editor, and a live war map, and was promoted on social platforms like Facebook and Telegram. Infections require manual APK installation and permission grants, with samples found on devices in Türkiye and on Xiaomi devices running Android 15. Attribution and precise objectives remain unknown, though journalists and OSINT researchers are likely targets.
read more →

Google adds Android protection against AI call scams

📱 Google is rolling out a new fake call detection feature for Android 12+ devices, starting with Pixel phones and enabled by default. When both parties use Phone by Google and RCS-enabled Messages, the caller's device sends a silent encrypted confirmation to the recipient; if absent, the recipient's device pings the contact's phone to verify authenticity and shows a warning if the contact denies making the call. The feature aims to counter AI voice-cloning and number-spoofing scams.
read more →

Frontier X2 BLE Authentication Vulnerability Alert

🔒 The Frontier X2 wearable and its companion Frontier X mobile app are affected by a vulnerability allowing unauthenticated BLE read/write access to critical GATT characteristics, enabling attackers in range to control device functions and inject fabricated health telemetry. Fourth Frontier is developing a fix; users should contact the vendor for assistance and connect the device to only one app at a time. CISA recommends isolating control networks, minimizing exposure, using secure remote access, and following ICS defensive best practices to reduce exploitation risk.
read more →

BTMOB Android RAT: No-Code Builder Spreads Globally

🛡️ ESET researchers identified a no-code Android remote access trojan (RAT) named BTMOB that is distributed via phishing campaigns and fake app stores. The malware includes an APK builder so buyers can produce customized payloads quickly and retool lures for different countries without coding. BTMOB abuses Android Accessibility Services to escalate permissions and enable data theft, screenshots, activity recording and full remote control. Sold as a malware-as-a-service offering with relatively low pricing, it lowers the barrier for criminals and allows rapid variant turnover.
read more →

Android Malware Signs Victims Up to Carrier Billing

📱 Zimperium's zLabs uncovered a 10-month Android malware campaign that used nearly 250 fake apps to enroll victims in premium carrier billing services across Malaysia, Thailand, Romania and Croatia. The operation, running from March 2025 to January 2026, included three variants that ranged from cookie- and SMS-harvesting to a fully automated subscription flow against DiGi. The most advanced variant abused Google's SMS Retriever API, forced traffic onto cellular, loaded hidden carrier billing pages and intercepted one‑time passwords. Users are advised to avoid sideloading apps, verify installed apps and review mobile bills for unexplained charges.
read more →

Agentic AI Drives Surge in Mobile App Cyberattacks

📈 Digital.ai's 2026 Application Security Threat Report found that 87% of monitored customer-facing apps were attacked in 2026, up sharply from 55% in 2022. The firm says agentic AI has lowered the skill and time required for threat actors to inspect code, generate exploits and adapt malware. Financial services, automotive and medical device apps were most targeted, and iOS attacks have nearly closed the gap with Android.
read more →

Google Adds Intrusion Logging to Android Advanced Protection

🔐 Google has added Android Intrusion Logging, released on May 12 as part of Android Advanced Protection Mode, to help investigate spyware on Android devices. The opt-in feature logs device and network activity and was developed with Amnesty International’s Security Lab and Reporters Without Borders. Logs are encrypted with a user-generated key and can only be shared by the device owner for forensic analysis.
read more →

Android adds Intrusion Logging for forensic analysis

🔐 Intrusion Logging is an opt-in feature in Android's Advanced Protection Mode that records daily device and network activity to support forensic investigations. Developed with Amnesty International and Reporters Without Borders, it captures app launches, installs, network connections, USB file transfers, certificate changes, and lock/unlock events. Logs are end-to-end encrypted on the device, stored on Google servers for 12 months, and cannot be deleted early; users may download decrypted logs for external review but remain responsible for their security.
read more →

Android 17 Expands Banking Call and Theft Protections

🔒Android 17, rolling out next month, expands security and privacy features to combat device theft, enhance threat detection, and block banking scam calls. The OS will work with banking apps to verify caller authenticity via app-level queries and bank-provided number lists, and will automatically terminate suspected scam calls. Initial partners include Revolut, Itaú Unibanco, and Nubank, and Google plans support back to Android 11. The release also broadens Live Threat Detection, strengthens Advanced Protection, and adds biometric Mark as lost locking and other anti-theft measures.
read more →

Apple Enables Default E2EE for RCS in iOS 26.5 Beta

🔐 Apple released iOS 26.5, adding beta support to enable end-to-end encryption for RCS messages across iPhone and Android devices when used with supported carriers and the latest Google Messages. The feature is enabled by default for new and existing conversations and displays a lock icon to indicate encryption. Apple and GSMA say this is part of a cross‑industry effort to modernize SMS. The update also patches over 50 vulnerabilities in iOS and iPadOS.
read more →

Fake Call History Apps Scammed Millions via Subscriptions

🔍 Cybersecurity researchers uncovered 28 fraudulent Android apps on the official Google Play Store that claimed to show call, SMS and WhatsApp histories for any number but instead pushed paid subscriptions that delivered fabricated, hard‑coded data. The apps, labeled CallPhantom by ESET, amassed over 7.3 million downloads—one exceeded 3 million—primarily targeting users in India and the Asia‑Pacific region before removal. Payments were processed via Google Play billing, UPI apps (including Google Pay, PhonePe and Paytm), or in‑app card forms, limiting refund options for non‑Play transactions. The apps requested few permissions, used simple UIs and even displayed deceptive notifications to coerce payments.
read more →

DarkSword: iOS Full-Chain Exploit Compromising Devices

🚨 DarkSword is a newly identified iOS full-chain exploit that chained multiple zero-day vulnerabilities to achieve full device compromise. Google Threat Intelligence Group (GTIG) links the chain to commercial surveillance vendors and suspected state-sponsored operators active since at least November 2025, with observed targeting in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit supports iOS 18.4–18.7 and installs one of three final-stage payload families—GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER. A version leaked online a week after discovery; ensure devices are patched promptly.
read more →

ScarCruft Supply-Chain Delivers BirdCall to Android, Windows

⚠️ ESET reports that the North Korea‑aligned threat group ScarCruft compromised the sqgame[.]net gaming platform in a targeted supply‑chain operation to deploy the BirdCall backdoor to Android and Windows users. The compromise, active since late 2024, trojanized Android APKs for two games and delivered a malicious Windows update DLL that used RokRAT as a loader. BirdCall — an evolution of RokRAT — harvests contacts, SMS, call logs, media, screenshots, keystrokes and ambient audio, and leverages legitimate cloud services for command‑and‑control.
read more →