All news with #mobile security tag

⚠️A cluster of 26 malicious apps on Apple's China App Store impersonated popular crypto wallets such as MetaMask, Coinbase, Trust Wallet, and OneKey to harvest recovery seed phrases and drain funds. The apps used typosquatting, fake branding, and were disguised as games or calculators to bypass local restrictions. They redirected victims to phishing pages that pushed trojanized wallets via abused iOS provisioning profiles; those trojans intercept mnemonics, encrypt them, and exfiltrate them. Kaspersky links the campaign, dubbed FakeWallet, to the ongoing SparkKitty operation, and Apple has removed the apps following disclosure.

🔒 DarkSword and Coruna are two newly discovered, zero-click spyware families actively abused in the wild to compromise iPhones and iPads without user interaction. DarkSword targets iOS 18 with a six‑vulnerability chain and runs filelessly in RAM, while Coruna exploits older releases (iOS 13–17.2.1) via numerous WebKit flaws. Both harvest passwords, messages, photos, browser history and crypto‑wallet secrets; researchers report several thousand infections and advise immediate OS updates and mitigations.

🔒 Google announced Play policy updates to restrict contact and location permissions and to strengthen app ownership protections, while reporting it blocked or removed over 8.3 billion ads and suspended 24.9 million accounts in 2025. The update introduces a standardized Contact Picker and a one‑time precise location button in Android 17, and urges developers to remove broad READ_CONTACTS usage. Google also added a native account transfer feature and said its Gemini AI is detecting and preemptively blocking malvertising at scale.

🛡️ Google has integrated a Rust-based DNS parser into the modem firmware for Pixel 10, marking the first Pixel modem component written in a memory-safe language. The change aims to eliminate a broad class of memory-safety bugs in DNS handling, using the hickory-proto crate adapted for embedded use and a custom cargo-gnaw tool to manage dependencies. The Rust implementation exposes a C API and dispatches existing C functions to update in‑memory structures.

📱 Mirax is a newly observed Android Remote Access Trojan distributed via Meta advertisements that reached over 220,000 accounts, primarily in Spanish-speaking countries. According to Cleafy, Mirax pairs conventional RAT capabilities—keystroke capture, overlays, camera and SMS access—with an embedded SOCKS5 residential proxy implemented over Yamux to route attacker traffic through victim IPs. The threat uses GitHub-hosted droppers, selectable crypters (Virbox, Golden Crypt), and multi-stage installation flows that request accessibility permissions to persist and evade analysis. Researchers note the platform is offered as a selective MaaS to vetted affiliates, increasing its operational and monetization potential.

📱 A newly identified Android banking trojan called Mirax is spreading across Europe, combining remote-access features with residential proxy capabilities to expand its criminal utility. Researchers at Cleafy report campaigns reached more than 200,000 accounts by leveraging social media advertisements and fake streaming apps. Mirax runs as a restricted Malware-as-a-Service (MaaS), enabling real-time device control, dynamic overlay injection for credential theft, continuous keylogging, and the conversion of infected phones into proxy nodes to help bypass fraud controls.

🛡️ Google’s Pixel team integrated a memory-safe Rust DNS parser into the cellular baseband on Pixel 10 to reduce a class of memory-safety vulnerabilities in a high-risk component. The project adapts the community hickory-proto crate for no_std, adds FFI shims, and builds Rust into the modem firmware via the existing GN/Pigweed build. The team prioritized community support and correctness over aggressive size optimization, reporting a combined code cost of ~371 KB and leaving size pruning to future work.

🔒 Microsoft Defender disclosed a patched vulnerability in the EngageLab SDK that could allow co‑located apps on an Android device to bypass the system sandbox and access private app data. The issue, introduced in version 4.5.4 and characterized as an intent redirection vulnerability, affected many cryptocurrency and wallet apps—wallet installations exceeded 30 million and total installs topped 50 million. EngageLab released version 5.2.1 in November 2025 after a responsible disclosure in April 2025; detected vulnerable apps were removed from Google Play and developers are urged to update immediately.

🔒 Microsoft Defender Security Research Team discovered a critical intent redirection vulnerability in the third‑party EngageSDK that allowed co‑installed apps to abuse a merged, exported activity and act with the victim app's identity and permissions. The flaw, present in a post‑build merged manifest entry (MTCommonActivity) and tied to parseUri(URI_ALLOW_UNSAFE) and grant flags, could yield persistent read/write access to content providers. Microsoft coordinated with EngageLab and the Android Security Team; EngageLab released EngageSDK v5.2.1 on 2025‑11‑03 to set the activity non‑exported, affected apps were removed from Google Play, and Android platform protections were updated. Developers should upgrade and inspect merged manifests for unexpected exported components.

🛡️Security researchers have discovered an updated SparkCat trojan on both the Apple App Store and Google Play Store, hiding inside seemingly benign apps such as enterprise messengers and food delivery services. Kaspersky said it found two infected iOS apps and one Android app that primarily target cryptocurrency users in Asia. The iOS variant scans photo galleries for English wallet mnemonic phrases, while the Android version employs code virtualization, cross-platform languages and regional keyword scanning for Japanese, Korean and Chinese. Both samples use an OCR module to exfiltrate images containing recovery phrases to attacker-controlled servers, underscoring a rapidly evolving threat.

⚠️ Meta-owned WhatsApp said it alerted about 200 users, largely in Italy, who were fooled into installing a counterfeit iOS app infected with spyware. The company logged affected accounts out, advised victims to uninstall the malicious app and reinstall the official WhatsApp client, and said it is taking action against Italian firm Asigint, an alleged SIO subsidiary. The alert follows earlier campaigns targeting users with Graphite and chained zero-day exploits in 2025, highlighting persistent misuse of surveillance tools in Europe.

🔒Apple expanded iOS 18.7.7 and iPadOS 18.7.7 availability on April 1, 2026, to protect a broader range of devices from the web-based exploit kit DarkSword. The release now covers many iPhone models from XR through the 16 series and multiple iPad mini, Air and Pro configurations, including devices capable of running iOS 26 but still on older releases. The backported fixes let users with Automatic Updates receive protections without upgrading to iOS 26; users without auto-update can choose the patched iOS 18 build or move to iOS 26. Apple also began issuing Lock Screen alerts to urge installations of the security patches.

🔒 Apple has expanded availability of iOS 18.7.7 to a broader set of iPhones and iPads to ensure devices remaining on iOS 18 receive protections against the actively exploited DarkSword exploit kit. The update delivers fixes for multiple vulnerabilities first mitigated in 2025 and addresses additional CVEs disclosed through 2026. Users with Automatic Updates enabled on eligible devices will receive these protections automatically. Researchers observed deployment of information-stealing and backdoor malware families including GhostBlade, GhostKnife, and GhostSaber in attacks exploiting these flaws.

📱 Researchers at McAfee uncovered NoVoice, an Android rootkit hidden in more than 50 Google Play apps that were downloaded at least 2.3 million times. The apps requested no suspicious permissions and used steganography to hide an encrypted APK payload that exploits historically patched kernel and driver vulnerabilities to gain root. Once rooted, the implant replaces system libraries, disables SELinux, and installs persistent recovery scripts and a watchdog so the rootkit survives factory resets. McAfee reported the apps and Google removed them, but previously infected devices should be considered compromised.

🔒 Google has begun rolling out a new Android developer verification system designed to reduce malicious apps and strengthen platform security. The scheme requires developers to verify their identities and register apps, notably when distributing software outside Google Play; eligible Play apps will be auto-registered. Unregistered apps may later require an advanced sideloading flow or ADB, while Google stages enforcement from April 2026 and expands globally after 2027.

🔒 The FBI has issued a public service announcement warning Americans about privacy and data-security risks posed by foreign-developed mobile applications, particularly those maintained by Chinese companies. The bureau says some apps may collect extensive personal data — even when only active — and may store information on servers in China or require consent to share data. The FBI recommends disabling unnecessary sharing, updating device software, and installing apps only from official app stores.

🔒 Google has begun rolling out Android developer verification, requiring developers who distribute apps outside Google Play to create an account in the Android Developer Console to confirm their identity. The rollout precedes a September enforcement in Brazil, Indonesia, Singapore, and Thailand, with global expansion planned next year. Sideloading of unregistered APKs remains possible for power users via an advanced flow that includes an authentication step and a one-off 24-hour waiting period to deter scammers.

🔒 Apple has implemented a camera-indicator approach that carefully blends hardware and system design to ensure users are alerted when the camera is active. While a dedicated LED appears inherently more tamper-resistant than an on-screen widget, Apple addresses overlay and spoofing concerns through integrated hardware–software controls and system-level protections. The result is a thoughtfully engineered notification mechanism that substantially reduces the risk of unnoticed camera use.

🔒 Proofpoint disclosed a targeted email campaign by Russia-linked TA446 that leverages the leaked DarkSword iOS exploit kit to target iPhones. The group used spoofed "discussion invitation" messages impersonating the Atlantic Council to deliver the GHOSTBLADE dataminer and, in some instances, the MAYBEROBOT backdoor via password-protected ZIPs. Proofpoint noted sharply increased message volume and server-side filtering that routes only iPhone browsers to the exploit chain. Apple has issued lock-screen warnings urging immediate updates to block the threat.

🤖 WhatsApp is rolling out several usability and AI-driven features, including a Writing Help reply assistant that uses Private Processing, and photo touch-up powered by Meta AI. The update also enables two accounts on iOS, a chat history transfer from iOS to Android, and a utility to locate and remove large media. Meta has also expanded anti-scam protections and introduced parent-managed accounts and a lockdown security mode for high-risk users.