< ciso
brief />
Tag Banner

All news with #mobile security tag

205 articles · page 4 of 11

DarkSword iOS Exploit Kit Uses Six Vulnerabilities Widely

⚠️Researchers from Google Threat Intelligence Group, Lookout and iVerify report a new full‑chain JavaScript exploit kit named DarkSword has been used since at least November 2025 to fully compromise iPhones and exfiltrate sensitive data. The kit has appeared in watering‑hole campaigns targeting users in Saudi Arabia, Turkey, Malaysia and Ukraine and is linked to multiple actors including UNC6353, UNC6748 and a Turkish vendor. Apple has released patches addressing the exploited CVEs; users should install updates promptly.
read more →

Darksword iOS Exploit Used in Wide Infostealer Attacks

🔒 Darksword is a newly discovered iOS exploit kit targeting iPhones running iOS 18.4–18.6.2 and used to harvest credentials, photos, messages, and cryptocurrency wallet data. Researchers from Lookout, Google Threat Intelligence Group, and iVerify linked the framework to the actor behind the Coruna chain and say Apple has patched the exploited flaws. Victims should update to iOS 26.3.1 and consider enabling Lockdown Mode if at high risk.
read more →

DarkSword: Full-Chain iOS Exploit Targeting iOS 18.4–18.7

🔒 Google Threat Intelligence Group (GTIG) disclosed a JavaScript full-chain iOS exploit named 'DarkSword,' observed since November 2025, that chains six vulnerabilities to fully compromise devices running iOS 18.4–18.7. Multiple operators — including commercial vendor PARS Defense and suspected state actors (UNC6748, UNC6353) — used DarkSword to deploy implants GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. Apple has issued patches (culminating in iOS 26.3); GTIG recommends updating immediately or enabling Lockdown Mode if updates are not possible.
read more →

Android OS-Level Exploit Hijacks Mobile Payment Security

🔒 CloudSEK researchers have identified an Android OS-level attack that manipulates the runtime via LSPosed modules to hijack legitimate payment apps without modifying APKs or invalidating app signatures. The campaign, associated with a module dubbed Digital Lutera, intercepts SMS, spoofs device identities, and captures 2FA in real time, effectively bypassing protections like Google Play Protect and persistent integrity checks. Reinstalling apps does not remove the malicious hooks, making detection and remediation difficult.
read more →

Android 17 Restricts Accessibility API to Verified Tools

🔒 Google is testing a change in Android 17 Beta 2 within its Advanced Protection Mode that blocks apps not designated as accessibility tools from using the system Accessibility Services API. Apps without the isAccessibilityTool="true" flag will have existing permissions revoked when AAPM is active, and users cannot grant new access until the mode is turned off. Verified assistive tools such as screen readers and Braille programs remain exempt.
read more →

PixRevolution Trojan Hijacks Brazil's PIX Transfers

🔒 PixRevolution is an Android banking trojan uncovered by Zimperium that silently monitors devices and redirects funds during Brazil's PIX instant payments. It abuses Android accessibility permissions to stream screens to an attacker-controlled server, detects payment activity, and replaces recipient keys while displaying a fake loading overlay. The campaign relies on an agent-in-the-loop model with human operators intervening in near real time and spreads via fraudulent download pages impersonating legitimate Brazilian apps.
read more →

Six Android Malware Families Target Pix, Banking, Crypto

🛡️Researchers report six Android malware families targeting Pix payments, banking apps, and cryptocurrency wallets. The threats — including PixRevolution, BeatBanker, TaxiSpy RAT, Mirax, Oblivion RAT, and SURXRAT — rely on fake Google Play Store pages, accessibility and MediaProjection abuse, screen overlays, and remote control to harvest credentials and hijack transfers. Campaigns use Firebase or custom TCP/9000 C2s, include miners or RAT payloads, and some samples experiment with large language model components to refine targeting.
read more →

WhatsApp rolls out parent-managed accounts for pre-teens

🔒 WhatsApp has begun rolling out parent-managed accounts for pre-teens, enabling guardians to control who can contact their child and which groups they can join. These managed profiles limit the child to messaging and calling, exclude access to Meta AI, Channels, Status, and location sharing, and preserve end-to-end encryption so messages cannot be read by third parties. Setup requires both devices present: parents verify the child's number, scan a QR code to link accounts, and set a 6-digit PIN to lock parental controls. By default children can message only saved contacts and parents must approve group additions; the child can switch to a standard account at 13.
read more →

BeatBanker and BTMOB Android trojans: infection tactics

🚨 BeatBanker is a sophisticated Android trojan targeting Brazilian users through counterfeit pages that mimic Google Play and legitimate services such as INSS Reembolso or Starlink. The malware installs in staged downloads, injects encrypted modules into RAM after device and country checks, and avoids analysis by detecting emulators. It deploys a Monero miner that evades power optimizers by playing near‑inaudible audio and uses Accessibility abuse to overlay screens and divert crypto transfers. Users should stick to official stores, scrutinize permissions, and run up‑to‑date anti‑malware.
read more →

Mental health apps leaking private data: 2026 audit

🧠 In February 2026, cybersecurity firm Oversecured audited 10 popular Android mental‑health apps and found 1,575 vulnerabilities — 54 rated critical — across apps with a combined 14.7M+ installs. Findings include insecure local storage, hardcoded API endpoints, weak token generation using java.util.Random, and no root detection, contradicting many apps’ claims of full encryption. The report highlights the real risk of exposure of therapy transcripts, mood logs, and medication data and urges users to review permissions, update apps, and avoid third‑party sign‑ins.
read more →

CISA Flags iOS Flaws Exploited by Coruna Exploit Kit

🛡️ CISA has ordered federal agencies to patch three iOS vulnerabilities targeted by the Coruna exploit kit, which bundles multiple chains for at least 23 iOS flaws. Google researchers say Coruna provides PAC bypass, sandbox and PPL escapes, WebKit remote code execution and kernel elevation. Exploits are mitigated on recent iOS releases and can be blocked by private browsing or Lockdown Mode. CISA added the flaws to its KEV list and set a March 26 remediation deadline under BOD 22-01, urging organizations to prioritize fixes.
read more →

Coruna iOS exploit kit moves from surveillance to crime

🔒Researchers at Google’s Threat Intelligence Group uncovered Coruna, a sophisticated iOS exploit kit composed of five exploit chains and 23 individual exploits that migrated from a commercial surveillance customer to suspected state and criminal operators within months. The framework resurfaced with UNC6353 on compromised Ukrainian sites and later powered mass attacks by China-based UNC6691 on fake financial pages. Its payload, tracked as Plasmagrid, injects into the root powerd daemon to exfiltrate cryptocurrency wallets, seed phrases and QR codes. GTIG urges immediate iOS updates, enabling Lockdown Mode where updates are impossible, and has published IoCs on VirusTotal.
read more →

Coruna Exploit Kit Targets Older iPhones in Campaigns

🔐 Researchers at Google's Threat Intelligence Group disclosed the Coruna exploit kit, a complex toolkit that compromises Apple iPhones running iOS 13.0 through 17.2.1 using multiple chained vulnerabilities. The framework contains five full exploit chains and 23 distinct flaws, and includes device fingerprinting, automatic WebKit exploit selection and mitigation bypasses. A final-stage loader called PlasmaLoader focuses on extracting financial data such as QR codes and cryptocurrency recovery phrases. Google recommends updating to the latest iOS release or enabling Lockdown Mode when updates aren’t possible.
read more →

Hacked Prayer App Linked to US/Israeli Campaign Against Iran

📱 The Iranian prayer-timing app BadeSaba Calendar — installed by over five million users from the Google Play Store — delivered a rapid series of push notifications shortly after a set of explosions, beginning at 9:52 a.m. Tehran time. The alerts, starting with the phrase 'Help has arrived', reached users over roughly 30 minutes. No one has claimed responsibility; analysts say the speed and scale point to a likely state operation, with the US and Israel named as plausible actors.
read more →

Coruna iOS Exploit Kit Uses 23 Exploits Across iOS 13–17

📱 Google Threat Intelligence Group (GTIG) identified a powerful exploit framework named Coruna (aka CryptoWaters) that bundles five full iOS exploit chains and 23 exploits targeting devices running iOS 13 through 17.2.1. The framework fingerprints devices, loads tailored WebKit remote code execution exploits and executes pointer authentication code (PAC) bypasses to achieve persistence. Observed in multiple campaigns since February 2025, the kit moved from commercial surveillance users to nation-state actors and later financially motivated operators; users should keep devices current and enable Lockdown Mode.
read more →

Spyware Campaign Mimics Israel's Red Alert App via SMS

🚨 Researchers at CloudSEK have uncovered a mobile espionage campaign, dubbed RedAlert, that distributes a trojanized version of Israel's official Red Alert rocket warning app via SMS phishing and sideloaded fake updates. The malicious build imitates the genuine interface and continues to deliver real alerts while running a covert surveillance payload that requests high-risk permissions such as SMS access, contacts and precise GPS. It uses advanced anti-detection techniques — including spoofing the original signing certificate, falsifying Play Store installation metadata and manipulating Android's package manager via reflection and proxy hooks — to hide secondary payloads and avoid integrity checks. Incident response guidance recommends isolating affected devices, revoking privileges, performing factory resets when necessary, and blocking known domains while restricting sideloading through mobile device management.
read more →

Coruna: Powerful iOS Exploit Kit and Its Proliferation

🔍 Google Threat Intelligence Group describes Coruna, a sophisticated iOS exploit kit containing five full exploit chains and 23 exploits that target iOS 13.0 through 17.2.1. The kit combines WebKit RCEs, PAC/PPL bypasses, and a root-capable loader called PlasmaLoader that exfiltrates financial data and cryptocurrency wallet information. GTIG observed deployments by both suspected state-backed and financially motivated actors and added affected domains to Safe Browsing. Users are urged to update iOS or enable Lockdown Mode if updates are not possible.
read more →

Mobile App Permissions Still Matter: Protect Your Privacy

🔒 App permissions determine which data and device features an app can access, and many users accept prompts without considering the consequences. The article, by Phil Muncaster, explains how modern Android and iOS versions surface sensitive permissions at runtime and distinguishes between benign “normal” permissions and higher-risk “dangerous” ones. It highlights particularly sensitive requests — accessibility, background location, SMS/call logs and overlay — and recommends using Allow once or While using, regularly auditing permissions via App Privacy Report or Privacy Dashboard, and installing apps only from reputable stores.
read more →

Android Mental Health Apps Found with Security Flaws

⚠️ Security researchers found widespread vulnerabilities across ten Android mental-health apps that together exceed 14.7 million installs and could expose highly sensitive therapy and medical data. Oversecured's scans from January 22–23, 2026 identified 1,575 issues — 54 high-, 538 medium-, and 983 low-severity — which could enable credential interception, HTML injection, spoofing, and location leaks. Findings include use of Intent.parseUri() on external input, plaintext API endpoints and hardcoded Firebase URLs, insecure token generation with java.util.Random, and overly permissive local file access.
read more →

Predator Spyware Hooks iOS SpringBoard to Hide Indicators

🔍 Researchers report that Intellexa's Predator commercial spyware can suppress iOS camera and microphone recording indicators by hooking a single SpringBoard method. The malware intercepts sensor updates using a function named HiddenDot::setupHook() and nullifies the SBSensorActivityDataProvider object so the green or orange status dots never reach the UI. The technique requires prior kernel-level access and is combined with ARM64 instruction pattern matching and Pointer Authentication Code (PAC) redirection to bypass camera permission checks, while VoIP recordings also rely on the same upstream interception for stealth.
read more →