All news with #mobile security tag

🔒Researchers at Google’s Threat Intelligence Group uncovered Coruna, a sophisticated iOS exploit kit composed of five exploit chains and 23 individual exploits that migrated from a commercial surveillance customer to suspected state and criminal operators within months. The framework resurfaced with UNC6353 on compromised Ukrainian sites and later powered mass attacks by China-based UNC6691 on fake financial pages. Its payload, tracked as Plasmagrid, injects into the root powerd daemon to exfiltrate cryptocurrency wallets, seed phrases and QR codes. GTIG urges immediate iOS updates, enabling Lockdown Mode where updates are impossible, and has published IoCs on VirusTotal.

🔐 Researchers at Google's Threat Intelligence Group disclosed the Coruna exploit kit, a complex toolkit that compromises Apple iPhones running iOS 13.0 through 17.2.1 using multiple chained vulnerabilities. The framework contains five full exploit chains and 23 distinct flaws, and includes device fingerprinting, automatic WebKit exploit selection and mitigation bypasses. A final-stage loader called PlasmaLoader focuses on extracting financial data such as QR codes and cryptocurrency recovery phrases. Google recommends updating to the latest iOS release or enabling Lockdown Mode when updates aren’t possible.

📱 The Iranian prayer-timing app BadeSaba Calendar — installed by over five million users from the Google Play Store — delivered a rapid series of push notifications shortly after a set of explosions, beginning at 9:52 a.m. Tehran time. The alerts, starting with the phrase 'Help has arrived', reached users over roughly 30 minutes. No one has claimed responsibility; analysts say the speed and scale point to a likely state operation, with the US and Israel named as plausible actors.

📱 Google Threat Intelligence Group (GTIG) identified a powerful exploit framework named Coruna (aka CryptoWaters) that bundles five full iOS exploit chains and 23 exploits targeting devices running iOS 13 through 17.2.1. The framework fingerprints devices, loads tailored WebKit remote code execution exploits and executes pointer authentication code (PAC) bypasses to achieve persistence. Observed in multiple campaigns since February 2025, the kit moved from commercial surveillance users to nation-state actors and later financially motivated operators; users should keep devices current and enable Lockdown Mode.

🚨 Researchers at CloudSEK have uncovered a mobile espionage campaign, dubbed RedAlert, that distributes a trojanized version of Israel's official Red Alert rocket warning app via SMS phishing and sideloaded fake updates. The malicious build imitates the genuine interface and continues to deliver real alerts while running a covert surveillance payload that requests high-risk permissions such as SMS access, contacts and precise GPS. It uses advanced anti-detection techniques — including spoofing the original signing certificate, falsifying Play Store installation metadata and manipulating Android's package manager via reflection and proxy hooks — to hide secondary payloads and avoid integrity checks. Incident response guidance recommends isolating affected devices, revoking privileges, performing factory resets when necessary, and blocking known domains while restricting sideloading through mobile device management.

🔍 Google Threat Intelligence Group describes Coruna, a sophisticated iOS exploit kit containing five full exploit chains and 23 exploits that target iOS 13.0 through 17.2.1. The kit combines WebKit RCEs, PAC/PPL bypasses, and a root-capable loader called PlasmaLoader that exfiltrates financial data and cryptocurrency wallet information. GTIG observed deployments by both suspected state-backed and financially motivated actors and added affected domains to Safe Browsing. Users are urged to update iOS or enable Lockdown Mode if updates are not possible.

🔒 App permissions determine which data and device features an app can access, and many users accept prompts without considering the consequences. The article, by Phil Muncaster, explains how modern Android and iOS versions surface sensitive permissions at runtime and distinguishes between benign “normal” permissions and higher-risk “dangerous” ones. It highlights particularly sensitive requests — accessibility, background location, SMS/call logs and overlay — and recommends using Allow once or While using, regularly auditing permissions via App Privacy Report or Privacy Dashboard, and installing apps only from reputable stores.

⚠️ Security researchers found widespread vulnerabilities across ten Android mental-health apps that together exceed 14.7 million installs and could expose highly sensitive therapy and medical data. Oversecured's scans from January 22–23, 2026 identified 1,575 issues — 54 high-, 538 medium-, and 983 low-severity — which could enable credential interception, HTML injection, spoofing, and location leaks. Findings include use of Intent.parseUri() on external input, plaintext API endpoints and hardcoded Firebase URLs, insecure token generation with java.util.Random, and overly permissive local file access.

🔍 Researchers report that Intellexa's Predator commercial spyware can suppress iOS camera and microphone recording indicators by hooking a single SpringBoard method. The malware intercepts sensor updates using a function named HiddenDot::setupHook() and nullifies the SBSensorActivityDataProvider object so the green or orange status dots never reach the UI. The technique requires prior kernel-level access and is combined with ARM64 instruction pattern matching and Pointer Authentication Code (PAC) redirection to bypass camera permission checks, while VoIP recordings also rely on the same upstream interception for stealth.

🔒 A new Android banking trojan called Massiv is being distributed as a fake IPTV application to harvest credentials, perform keylogging, and seize remote control of infected devices. Researchers at ThreatFabric observed campaigns that targeted a Portuguese government app integrated with Chave Móvel Digital, enabling fraudsters to bypass KYC checks and open accounts in victims' names. Massiv supports live screen streaming via Android's MediaProjection API and a UI-tree mode using the Accessibility Service to extract interface elements, click controls, and bypass screen-capture protections.

⚠️ Kaspersky researchers have uncovered Keenadu, a multifaceted Android malware family that can be embedded in device firmware and run with system-level privileges from first boot. Detected on more than 13,000 devices across multiple countries, the backdoor impersonates legitimate system components (including face-unlock and home-screen apps) and can infect other apps, install APKs, and harvest sensitive data. It may remain dormant under certain locales and lacks easy removal through standard user tools. Kaspersky recommends checking firmware updates, running security scans, disabling suspect apps, and coordinating with vendors to address supply chain integrity.

🔒 Kaspersky researchers have identified a firmware-embedded backdoor named Keenadu that can run in the context of every Android app and grant remote control over infected tablets. The implant was discovered in Alldocube iPlay 50 mini Pro firmware dating to August 18, 2023, and the compromised images carried valid digital signatures. Kaspersky observed delivery via signed OTA updates, preinstalled system apps, and trojanized apps distributed through third-party stores and official marketplaces.

🔐 Android 17 public beta introduces a secure-by-default architecture that tightens app protections and refines developer workflows. The release deprecates the android:usesCleartextTraffic attribute and will block cleartext by default for apps targeting API level 37 without a network security configuration. It also adds a public SPI for HPKE hybrid cryptography, enables certificate transparency by default and introduces install-time permissions for localhost interactions. Large-screen behavior changes, a lock-free MessageQueue and generational garbage collection in ART target performance, while Google replaces the traditional Developer Preview with a continuous Canary channel for earlier feature access and streamlined testing.

🔐 Apple has released an iOS and iPadOS 26.4 developer beta that introduces end-to-end encryption (E2EE) for RCS conversations between compatible Apple devices, with a wider rollout planned for iOS, iPadOS, macOS and watchOS in a future update. The feature is currently in beta and limited to Apple devices and supported carriers. The update also expands Memory Integrity Enforcement (MIE), allowing applications to opt in to full protections beyond Soft Mode. Additionally, iOS 26.4 is expected to enable Stolen Device Protection by default and the SDK is available via Xcode 26.4.

🛡️ Keenadu is a sophisticated Android backdoor discovered embedded in device firmware and in apps distributed through Google Play and other channels. Kaspersky reports multiple distribution vectors — compromised OTA firmware, system apps, modified APKs and even Play Store apps — with the firmware-integrated variant being the most powerful. That variant can operate inside every installed app, silently install APKs with broad permissions, and exfiltrate media, messages, credentials and location data. Kaspersky has confirmed roughly 13,000 infected devices and warns that firmware-resident instances cannot be removed by standard Android tools; users should reflash clean firmware or replace affected devices.

📱 ZeroDayRAT is a commercially marketed, cross-platform spyware toolkit distributed openly via Telegram that targets Android and iOS devices. iVerify traced initial activity to 2 February and found the offering includes an APK for Android, an iOS payload, a web-based management panel, documentation, and customer support channels. The malware harvests messages, call logs, contacts, location, photos, files, notifications, and enumerates accounts across popular services, enabling sustained surveillance and potential financial theft. Infection relies on social engineering—sideloading or iOS provisioning profiles—so iVerify recommends mobile EDR, stricter controls on unauthorized installs, and detection across BYOD and managed fleets.

🔒 Apple has introduced end-to-end encryption for RCS messaging in the iOS and iPadOS 26.4 developer beta, enabling encrypted conversations between Apple devices during testing. The feature remains in beta and is not available for all devices or carriers, and it currently does not extend to non-Apple platforms such as Android. The release also introduces an opt-in for full Memory Integrity Enforcement and signals forthcoming Stolen Device Protection defaults.

🕵️‍♂️ZeroDayRAT is a commercial mobile spyware platform advertised on Telegram that enables extensive data collection and real-time surveillance on Android and iOS devices. The developer offers a builder to generate malicious binaries and an online or self-hosted control panel that exposes device metadata, GPS location history, accounts and notification previews. Operators can capture keystrokes, SMS (including OTPs), live camera and microphone streams, and perform hands-on remote operations. Additional modules swap clipboard crypto addresses and target mobile payment apps to facilitate direct financial theft.

📱 ZeroDayRAT is a newly documented cross-platform mobile spyware operation targeting Android and iOS, according to iVerify. The toolkit grants persistent access to messages, precise GPS history, notifications, camera, microphone and keystroke capture, and exposes a dedicated web dashboard for rapid device profiling. Infections are commonly initiated via smishing, counterfeit app stores, phishing emails and links shared through messaging apps.

🔐 ZeroDayRAT is a commercial mobile spyware being sold on Telegram that grants attackers comprehensive remote control over Android (5–16) and iOS (up to 26) devices. The toolkit provides a management panel displaying device metadata and supports data theft, live audio/video capture, location tracking, SMS interception for OTPs, keylogging, and modules targeting cryptocurrency wallets and banking apps. iVerify warns it can enable enterprise breaches if employee devices are compromised and advises installing apps only from official stores and enabling protections such as Lockdown Mode on iOS and Advanced Protection on Android.