All news with #mobile security tag

🔒 Coruna is an evolved iOS exploit framework tied to the earlier Operation Triangulation espionage campaign and now includes support for modern Apple silicon such as A17 and M3 chips and iOS builds up to 17.2. Kaspersky found five exploit chains leveraging 23 vulnerabilities, including CVE-2023-32434 and CVE-2023-38606, and determined parts of the kernel exploit are maintained revisions of Triangulation code. The attack begins via a Safari stager that fingerprints the device, selects tailored RCE and PAC exploits, downloads encrypted components decrypted with ChaCha20 and decompressed with LZMA, then loads payloads appropriate to ARM64/ARM64E architectures. Kaspersky also observed Coruna’s use in financially motivated campaigns that impersonate crypto exchanges; Apple has released fixes and users should apply updates promptly.

🔒 Google is introducing Advanced Flow, a new Android mechanism that lets power users sideload APKs from unverified developers while adding multi-step protections. The one-time process requires enabling Developer Mode, confirming you are not being coached by a threat actor, restarting and reauthenticating, then waiting one day to validate the changes. After completion users may enable installations for a week or indefinitely, and Android will display a warning that the app is from an unverified developer. The flow is intended to add friction and disrupt urgency-driven scam tactics.

🔎 Cybersecurity researchers analyzed Predator, a commercial spyware component developed by Intellexa, and revealed how it disables iOS camera and microphone recording indicators. The malware intercepts communications between the system component that tracks module activity and SpringBoard, exploiting Objective‑C behavior to suppress status signals so the green/orange dots never appear. The report outlines the techniques, traces earlier dead code attempts, and offers practical mitigations for users at elevated risk.

🔐Google announced a new advanced flow for Android sideloading that imposes a mandatory 24-hour wait and biometric or PIN confirmation before permitting installs from unverified developers. The measure complements a developer verification mandate and is intended to make social‑engineering and rapid coercion attacks harder. Google will also offer free limited distribution accounts for hobbyists and students and says the flow does not apply to ADB installs; the changes roll out in August 2026 ahead of verification rules.

🔒Google outlines five practical defenses to help users spot and avoid tax‑season scams. It describes on‑device AI protections on Pixel phones including Call Screen and optional real‑time Scam Detection alerts, plus text‑vetting with Circle to Search and Lens. The post highlights real‑time Safe Browsing, high‑visibility Gmail warning banners and security steps like Passkeys and 2‑Step Verification to reduce fraud risk.

📱 Zimperium zLabs reports a global surge in mobile banking malware targeting 1,243 financial brands across 90 countries. The firm analysed 34 active malware families affecting apps with more than three billion downloads and found industrialised campaigns exploiting weak app protections and widespread code sharing. Attacks now intercept authentication codes, hijack live sessions and can take control of devices, undermining traditional backend fraud controls.

🔒 ThreatFabric researchers disclosed a new Android banking malware family named Perseus that enables device takeover and financial fraud through dropper apps promoted on phishing and IPTV sideloading sites. Built on code from Cerberus and Phoenix, Perseus leverages Accessibility-based remote sessions to monitor, interact with, and fully control infected devices. It targets users across Turkey, Italy and other European and Middle Eastern markets, and adds note‑scanning to harvest high-value personal data. Operators can issue remote commands, stream screens, run HVNC sessions, and authorize fraudulent transactions via a command-and-control panel.

🔐 Researchers at ThreatFabric have discovered a new Android malware family called Perseus that scans user note-taking apps to steal passwords, recovery phrases, and financial data. Distributed via sideloaded IPTV-themed apps, Perseus abuses Accessibility Services to gain full remote control, capture screenshots, and deploy overlays and keyloggers. The threat uses a dropper capable of bypassing Android 13+ sideloading restrictions and performs extensive anti-analysis checks before exfiltration. Users are advised to avoid sideloading APKs, keep Play Protect enabled, and install apps only from the Google Play Store.

🤖 A user attempting to remotely control his own DJI Romo robot vacuum inadvertently gained control of approximately 7,000 devices around the world. The incident highlights how insecure many consumer IoT devices remain and how a single action can cascade into widespread exposure. Beyond mere nuisance, such mass control raises privacy and safety concerns if exploited at scale. The episode underscores the urgent need for stronger device authentication, secure update mechanisms, and clearer vendor responsibility.

⚠️Researchers from Google Threat Intelligence Group, Lookout and iVerify report a new full‑chain JavaScript exploit kit named DarkSword has been used since at least November 2025 to fully compromise iPhones and exfiltrate sensitive data. The kit has appeared in watering‑hole campaigns targeting users in Saudi Arabia, Turkey, Malaysia and Ukraine and is linked to multiple actors including UNC6353, UNC6748 and a Turkish vendor. Apple has released patches addressing the exploited CVEs; users should install updates promptly.

🔒 Darksword is a newly discovered iOS exploit kit targeting iPhones running iOS 18.4–18.6.2 and used to harvest credentials, photos, messages, and cryptocurrency wallet data. Researchers from Lookout, Google Threat Intelligence Group, and iVerify linked the framework to the actor behind the Coruna chain and say Apple has patched the exploited flaws. Victims should update to iOS 26.3.1 and consider enabling Lockdown Mode if at high risk.

🔒 Google Threat Intelligence Group (GTIG) disclosed a JavaScript full-chain iOS exploit named 'DarkSword,' observed since November 2025, that chains six vulnerabilities to fully compromise devices running iOS 18.4–18.7. Multiple operators — including commercial vendor PARS Defense and suspected state actors (UNC6748, UNC6353) — used DarkSword to deploy implants GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. Apple has issued patches (culminating in iOS 26.3); GTIG recommends updating immediately or enabling Lockdown Mode if updates are not possible.

🔒 CloudSEK researchers have identified an Android OS-level attack that manipulates the runtime via LSPosed modules to hijack legitimate payment apps without modifying APKs or invalidating app signatures. The campaign, associated with a module dubbed Digital Lutera, intercepts SMS, spoofs device identities, and captures 2FA in real time, effectively bypassing protections like Google Play Protect and persistent integrity checks. Reinstalling apps does not remove the malicious hooks, making detection and remediation difficult.

🔒 Google is testing a change in Android 17 Beta 2 within its Advanced Protection Mode that blocks apps not designated as accessibility tools from using the system Accessibility Services API. Apps without the isAccessibilityTool="true" flag will have existing permissions revoked when AAPM is active, and users cannot grant new access until the mode is turned off. Verified assistive tools such as screen readers and Braille programs remain exempt.

🔒 PixRevolution is an Android banking trojan uncovered by Zimperium that silently monitors devices and redirects funds during Brazil's PIX instant payments. It abuses Android accessibility permissions to stream screens to an attacker-controlled server, detects payment activity, and replaces recipient keys while displaying a fake loading overlay. The campaign relies on an agent-in-the-loop model with human operators intervening in near real time and spreads via fraudulent download pages impersonating legitimate Brazilian apps.

🛡️Researchers report six Android malware families targeting Pix payments, banking apps, and cryptocurrency wallets. The threats — including PixRevolution, BeatBanker, TaxiSpy RAT, Mirax, Oblivion RAT, and SURXRAT — rely on fake Google Play Store pages, accessibility and MediaProjection abuse, screen overlays, and remote control to harvest credentials and hijack transfers. Campaigns use Firebase or custom TCP/9000 C2s, include miners or RAT payloads, and some samples experiment with large language model components to refine targeting.

🔒 WhatsApp has begun rolling out parent-managed accounts for pre-teens, enabling guardians to control who can contact their child and which groups they can join. These managed profiles limit the child to messaging and calling, exclude access to Meta AI, Channels, Status, and location sharing, and preserve end-to-end encryption so messages cannot be read by third parties. Setup requires both devices present: parents verify the child's number, scan a QR code to link accounts, and set a 6-digit PIN to lock parental controls. By default children can message only saved contacts and parents must approve group additions; the child can switch to a standard account at 13.

🚨 BeatBanker is a sophisticated Android trojan targeting Brazilian users through counterfeit pages that mimic Google Play and legitimate services such as INSS Reembolso or Starlink. The malware installs in staged downloads, injects encrypted modules into RAM after device and country checks, and avoids analysis by detecting emulators. It deploys a Monero miner that evades power optimizers by playing near‑inaudible audio and uses Accessibility abuse to overlay screens and divert crypto transfers. Users should stick to official stores, scrutinize permissions, and run up‑to‑date anti‑malware.

🧠 In February 2026, cybersecurity firm Oversecured audited 10 popular Android mental‑health apps and found 1,575 vulnerabilities — 54 rated critical — across apps with a combined 14.7M+ installs. Findings include insecure local storage, hardcoded API endpoints, weak token generation using java.util.Random, and no root detection, contradicting many apps’ claims of full encryption. The report highlights the real risk of exposure of therapy transcripts, mood logs, and medication data and urges users to review permissions, update apps, and avoid third‑party sign‑ins.

🛡️ CISA has ordered federal agencies to patch three iOS vulnerabilities targeted by the Coruna exploit kit, which bundles multiple chains for at least 23 iOS flaws. Google researchers say Coruna provides PAC bypass, sandbox and PPL escapes, WebKit remote code execution and kernel elevation. Exploits are mitigated on recent iOS releases and can be blocked by private browsing or Lockdown Mode. CISA added the flaws to its KEV list and set a March 26 remediation deadline under BOD 22-01, urging organizations to prioritize fixes.