< ciso
brief />
Tag Banner

All news with #mobile security tag

205 articles · page 2 of 11

ScarCruft Delivers BirdCall Android Spyware via Game Site

📱 ESET researchers report that North Korean-linked APT37 (ScarCruft) developed an Android variant of the BirdCall backdoor and distributed it through trojanized APKs on the sqgame.net game platform. The Android implant, first seen around October 2024 and produced in at least seven variants, collects contacts, call logs, SMS, device identifiers, location and system metrics, takes periodic screenshots, records audio during evening hours, and exfiltrates targeted files to a C2. The campaign focused on users in the Yanbian region and underscores ScarCruft’s continued use of supply-chain tactics; users are advised to download apps only from official marketplaces and trusted publishers.
read more →

Telegram Mini Apps Abused for Crypto Scams, Malware

⚠️ Researchers uncovered a large-scale fraud operation leveraging Telegram Mini Apps to run crypto scams and distribute Android malware. The infrastructure, identified by the FEMITBOT API string, uses Telegram bots to launch embedded Mini Apps that present phishing pages inside the app's WebView and impersonate well-known brands. Campaigns display fake dashboards, countdowns, and withdrawal prompts that demand deposits or referrals, and some prompt users to download APKs hosted on the same domains to avoid mixed-content warnings; Android users should not sideload APKs and should be cautious with bots asking for funds or app installs.
read more →

How Vehicles Become Tools for Law Enforcement Surveillance

📡 Modern cars act as mobile computers that log and transmit extensive telemetry to manufacturers and third parties. Law enforcement increasingly uses Car Intelligence (CARINT) tools and vendor solutions such as Ateros, Berla, and Toka to extract GPS histories, call logs, paired-device lists, and driving statistics — sometimes without warrants. Even sensor systems like unencrypted TPMS can enable low-cost tracking. Recommended mitigations include avoiding phone syncs, clearing head-unit data, disabling voice commands, and minimizing use of manufacturer apps.
read more →

Phishing Crypto-Wallet Clones on iOS and macOS Platforms

🔒 Kaspersky researchers discovered a campaign that placed 26 fake crypto-wallet apps in the Chinese App Store, impersonating popular wallets and using benign features to pass review. The malicious apps direct users to phishing pages that prompt installation of a provisioning profile, enabling sideloaded, trojanized wallet builds that request seed phrases. On macOS, infostealers like MacSync use ClickFix lures and can patch legitimate wallet apps to display fake recovery dialogs. The report includes concrete mitigation steps to protect seed phrases and devices.
read more →

FBI Recovers Deleted Signal Messages from iPhone DB

🔐 The FBI reportedly extracted copies of incoming Signal messages from an iPhone’s internal push notification database after the app was deleted. The extraction occurred during a criminal case where physical access allowed forensic tools to retrieve notification previews stored by iOS. The case underscores the privacy risk when message previews are enabled and the importance of disabling notification previews within Signal or device settings.
read more →

Apple fixes iOS bug that retained deleted notifications

🔒 Apple released patches for iOS and iPadOS to fix a Notification Services logging flaw that could retain notifications marked for deletion. Tracked as CVE-2026-28950, the issue was addressed by improving data redaction so deleted alerts are no longer preserved. Affected models were fixed in iOS 26.4.2/iPadOS 26.4.2 and in iOS/iPadOS 18.7.8 for other devices. The update follows reporting that copies of Signal messages were forensically extracted from push notification storage.
read more →

Trojanized NFC Relay App Used to Steal Card Data in Brazil

💳 Cybercriminals have trojanized an Android NFC-relay application to capture contactless payment data and PINs, enabling cloning of cards and remote ATM cash-outs. ESET researchers report a new NGate malware variant was injected into the HandyPay app and distributed via a fake lottery site and a spoofed Google Play page targeting Android users in Brazil since November 2025. Traces in the injected code, including emoji markers in debug logs, led researchers to suspect use of generative AI, and ESET has published indicators and a MITRE ATT&CK mapping to aid detection.
read more →

Trojanized Android App Enables New NFC Payment Fraud

📱 ESET has identified a new NGate variant that uses a trojanized version of the legitimate HandyPay NFC relay app to harvest payment card data and PINs. Distributed since November 2025 and focused on Brazil, the malicious app relays tapped NFC data to attacker-controlled devices to facilitate contactless fraud and ATM withdrawals. It requires minimal permissions by leveraging its role as the default payment application, helping it evade detection.
read more →

Zero Motorcycles Bluetooth Pairing Vulnerability Reported

🔒 Zero Motorcycles firmware versions 44 and earlier contain a Bluetooth pairing flaw (CVE-2026-1354) that can allow an attacker to forcibly pair with a motorcycle while it is in pairing mode. Once paired and in proximity, an attacker could use over-the-air firmware update capability to upload malicious firmware. The motorcycle must remain paired and within range for the entire update. Zero recommends secure pairing practices, physical key security, and plans a firmware update in May 2026; users should install updates when available.
read more →

NGate Android Campaign Trojans HandyPay to Steal NFC

🔒 ESET researchers uncovered a NGate Android campaign that trojanized the HandyPay NFC relay app to steal contactless card data and capture PINs for fraudulent ATM withdrawals. The poisoned app, spread via fake Rio de Prêmios sites and a deceptive Play Store listing, asks to be set as the default payment app and prompts users to enter their card PIN before tapping their card. Artifacts including emoji-laden debug messages suggest parts of the injected code may have been generated or modified with a large language model.
read more →

New NGate Variant Trojans HandyPay to Steal NFC Data

🔒 ESET researchers discovered a new NGate malware variant that trojanized the legitimate HandyPay Android NFC-relay app, with injected code displaying artifacts consistent with GenAI-assisted development. The patched app silently forwards NFC payment card data and captures payment card PINs, exfiltrating them to attacker-controlled C&C infrastructure to enable contactless ATM cash-outs and unauthorized payments. Distribution targeted Android users in Brazil since November 2025 via a fake Rio de Prêmios lottery site and a counterfeit Google Play page; both samples were served from the same domain, indicating a single operator. ESET notified Google and the HandyPay developer; known samples are detected by Google Play Protect and ESET.
read more →

Chinese App Store Infiltrated by Crypto Wallet Scams

⚠️A cluster of 26 malicious apps on Apple's China App Store impersonated popular crypto wallets such as MetaMask, Coinbase, Trust Wallet, and OneKey to harvest recovery seed phrases and drain funds. The apps used typosquatting, fake branding, and were disguised as games or calculators to bypass local restrictions. They redirected victims to phishing pages that pushed trojanized wallets via abused iOS provisioning profiles; those trojans intercept mnemonics, encrypt them, and exfiltrate them. Kaspersky links the campaign, dubbed FakeWallet, to the ongoing SparkKitty operation, and Apple has removed the apps following disclosure.
read more →

Mass iOS Exploits DarkSword and Coruna Threaten Users

🔒 DarkSword and Coruna are two newly discovered, zero-click spyware families actively abused in the wild to compromise iPhones and iPads without user interaction. DarkSword targets iOS 18 with a six‑vulnerability chain and runs filelessly in RAM, while Coruna exploits older releases (iOS 13–17.2.1) via numerous WebKit flaws. Both harvest passwords, messages, photos, browser history and crypto‑wallet secrets; researchers report several thousand infections and advise immediate OS updates and mitigations.
read more →

Google updates Play policies to tighten contacts, location

🔒 Google announced Play policy updates to restrict contact and location permissions and to strengthen app ownership protections, while reporting it blocked or removed over 8.3 billion ads and suspended 24.9 million accounts in 2025. The update introduces a standardized Contact Picker and a one‑time precise location button in Android 17, and urges developers to remove broad READ_CONTACTS usage. Google also added a native account transfer feature and said its Gemini AI is detecting and preemptively blocking malvertising at scale.
read more →

Google Adds Rust DNS Parser to Pixel Modem Firmware

🛡️ Google has integrated a Rust-based DNS parser into the modem firmware for Pixel 10, marking the first Pixel modem component written in a memory-safe language. The change aims to eliminate a broad class of memory-safety bugs in DNS handling, using the hickory-proto crate adapted for embedded use and a custom cargo-gnaw tool to manage dependencies. The Rust implementation exposes a C API and dispatches existing C functions to update in‑memory structures.
read more →

Mirax Android RAT Turns Devices into SOCKS5 Proxies

📱 Mirax is a newly observed Android Remote Access Trojan distributed via Meta advertisements that reached over 220,000 accounts, primarily in Spanish-speaking countries. According to Cleafy, Mirax pairs conventional RAT capabilities—keystroke capture, overlays, camera and SMS access—with an embedded SOCKS5 residential proxy implemented over Yamux to route attacker traffic through victim IPs. The threat uses GitHub-hosted droppers, selectable crypters (Virbox, Golden Crypt), and multi-stage installation flows that request accessibility permissions to persist and evade analysis. Researchers note the platform is offered as a selective MaaS to vetted affiliates, increasing its operational and monetization potential.
read more →

Mirax Android Trojan Turns Devices into Proxy Nodes

📱 A newly identified Android banking trojan called Mirax is spreading across Europe, combining remote-access features with residential proxy capabilities to expand its criminal utility. Researchers at Cleafy report campaigns reached more than 200,000 accounts by leveraging social media advertisements and fake streaming apps. Mirax runs as a restricted Malware-as-a-Service (MaaS), enabling real-time device control, dynamic overlay injection for credential theft, continuous keylogging, and the conversion of infected phones into proxy nodes to help bypass fraud controls.
read more →

Bringing Rust to Pixel Baseband for Safer DNS Parsing

🛡️ Google’s Pixel team integrated a memory-safe Rust DNS parser into the cellular baseband on Pixel 10 to reduce a class of memory-safety vulnerabilities in a high-risk component. The project adapts the community hickory-proto crate for no_std, adds FFI shims, and builds Rust into the modem firmware via the existing GN/Pigweed build. The team prioritized community support and correctness over aggressive size optimization, reporting a combined code cost of ~371 KB and leaving size pruning to future work.
read more →

EngageLab SDK Flaw Exposed Millions of Android Users

🔒 Microsoft Defender disclosed a patched vulnerability in the EngageLab SDK that could allow co‑located apps on an Android device to bypass the system sandbox and access private app data. The issue, introduced in version 4.5.4 and characterized as an intent redirection vulnerability, affected many cryptocurrency and wallet apps—wallet installations exceeded 30 million and total installs topped 50 million. EngageLab released version 5.2.1 in November 2025 after a responsible disclosure in April 2025; detected vulnerable apps were removed from Google Play and developers are urged to update immediately.
read more →

Intent Redirection in EngageSDK Exposes Android Wallets

🔒 Microsoft Defender Security Research Team discovered a critical intent redirection vulnerability in the third‑party EngageSDK that allowed co‑installed apps to abuse a merged, exported activity and act with the victim app's identity and permissions. The flaw, present in a post‑build merged manifest entry (MTCommonActivity) and tied to parseUri(URI_ALLOW_UNSAFE) and grant flags, could yield persistent read/write access to content providers. Microsoft coordinated with EngageLab and the Android Security Team; EngageLab released EngageSDK v5.2.1 on 2025‑11‑03 to set the activity non‑exported, affected apps were removed from Google Play, and Android platform protections were updated. Developers should upgrade and inspect merged manifests for unexpected exported components.
read more →