All news with #mobile security tag

🔒 The ZOLL ePCR iOS mobile application (version 2.6.7) contains a WebView input-sanitization flaw (CVE-2025-12699) that can reflect attacker-controlled strings into rendered HTML/JavaScript. Proof-of-concept testing shows injected scripts may read local application files, potentially exposing device telemetry and protected health information (PHI). CISA assigns a CVSS v3.1 base score of 5.5 (MEDIUM), notes the issue is not remotely exploitable, and reports no known public exploitation. ZOLL decommissioned the iOS app in May 2025 and has no replacement planned.

🔒 A court filing shows the FBI's Computer Analysis Response Team (CART) could not extract a Washington Post reporter's iPhone because Apple's Lockdown Mode was enabled. The raid and seizure occurred in January during an investigation into leaks of classified information tied to a government contractor. The filing contrasts devices the FBI could access with the iPhone that resisted standard forensic tools, suggesting Lockdown Mode can impede common extraction techniques.

🔒 Samsung Knox provides built‑in, per‑app network controls, detailed access logs, and a Zero Trust Network Access framework that complements existing VPN deployments. Its firewall supports IPv4/IPv6 filtering, domain and subdomain rules, split DNS tunneling, and context-rich logging (app package, domain/IP, timestamp) to accelerate investigations and reduce false positives. Integrated device health signals and hardware‑backed lockdowns enable dynamic policy enforcement without multiple agents. Certified for SOC 2 and compatible with leading MDM/UEM and SIEM platforms, Knox simplifies deployment while improving visibility for security teams.

🔍 A Cellebrite 2026 Industry Trends Report based on 1,200 law enforcement respondents across 63 countries finds digital evidence — particularly from smartphones — has become central to almost all investigations. Some 95% of practitioners say digital evidence is key to solving cases and 97% point to smartphones as a top source. Agencies report increasing complexity, locked devices in over half of cases, and growing resource reallocations to handle digital work, while many see AI as useful but constrained by policy.

🛡️ Apple has added a Limit Precise Location setting in iOS 26.3 and later that restricts the location information mobile carriers receive via cell-tower connections, sharing only an approximate area rather than a precise street address. The toggle applies to specific models — iPhone Air, iPhone 16e, and iPad Pro (M5) Wi‑Fi + Cellular — and requires carrier support; currently supported networks include Telekom (Germany), EE and BT (UK), Boost Mobile (US), and AIS and True (Thailand). Apple says the feature does not affect Location Services or location sharing with friends and family, and it does not change emergency-call location data; users enable it in Settings → Cellular → Cellular Data Options and a restart may be required.

🔒 Google has introduced stronger authentication safeguards and enhanced recovery tools to make smartphones harder targets for thieves. The update adds granular controls for Failed Authentication Lock, expands Identity Check to protect all apps using the Android Biometric Prompt (including Google Password Manager and third‑party banking apps), and introduces longer lockout times to slow guessing attempts. Remote Lock now offers an optional security challenge to verify ownership, and for new devices in Brazil Google will enable Theft Detection Lock and Remote Lock by default. Authentication safeguards require Android 16+; recovery tools require Android 10+.

🔒 Meta has begun rolling out a new WhatsApp feature called Strict Account Settings that provides lockdown-style protections for journalists, public figures, and other high-risk users. The option, enabled only from a user's primary device under Settings > Privacy > Advanced, enforces the strictest privacy controls, including mandatory two-step verification and blocking media and calls from unknown senders. It also hides profile data, disables link previews, and limits features that could expose users to sophisticated spyware. Meta said the feature is intended for the small number of users who face targeted, high-risk campaigns.

🔍 ESET researchers disclosed a targeted Android espionage campaign (published 28 Jan 2026) that used a fake dating app called GhostChat (detected as Android/Spy.GhostChat.A) to lure victims in Pakistan. The app, never on Google Play and requiring manual install from unknown sources, presents locked female profiles with hardcoded access codes and embedded WhatsApp numbers to drive victims into operator-controlled chats. Once executed it requests broad permissions, immediately exfiltrates device identifiers, contacts and a wide range of files, and continues to upload newly created images and documents on a scheduled basis. ESET linked related Windows activity using the same C2 infrastructure, published IoCs and sample hashes (for example SHA-1 B15B1F3F2227EBA4B69C85BDB638DF34B9D30B6A), and shared findings with Google; known variants are blocked by Play Protect on devices with Google Play Services.

🔒 The Android Security Team announced a set of theft protection updates designed to make devices harder targets for criminals. Available on devices running Android 16+ and recovery tools on Android 10+, the changes add a dedicated toggle for Failed Authentication Lock, expand Identity Check coverage to all apps using the Biometric Prompt, and increase lockout times while preventing identical repeated guesses from counting toward retries. Remote Lock gains an optional security challenge, and new devices activated in Brazil will ship with Theft Detection Lock and Remote Lock enabled by default.

🛡️ In 2025–2026 Android ecosystems saw a sharp rise in malware distributed via sideloading, fake app stores and messaging platforms, alongside a surge in NFC-based cash-out schemes. Kaspersky highlights prolific families such as ClayRat, rising Trojan bankers and preinstalled firmware threats like Triada, and documents social-engineered VPN and relay attacks. The report emphasizes strict mobile hygiene and recommends Kaspersky for Android to detect trojanized APKs, block phishing and mitigate NFC exploits.

🔒 Apple Pay's convenience has made it a target for social-engineering scams; attackers generally manipulate users rather than exploit the platform's tokenization or biometric defenses. The article outlines common schemes — phishing/smishing, marketplace and overpayment/refund frauds, fake receipts, unsolicited payments, and evil‑twin Wi‑Fi — and highlights red flags like requests for 2FA codes. Recommended defenses include enabling Stolen Device Protection, turning on card notifications, using chargeback-eligible cards, and employing a VPN on public networks.

🤖 Researchers at Doctor Web discovered an Android click‑fraud trojan family that leverages TensorFlow.js to visually detect and interact with advertisement elements inside a hidden WebView. In a 'phantom' mode the malware renders a virtual screen, captures screenshots, and feeds them to an ML model to identify and tap the correct UI element, avoiding DOM-based click routines. A separate 'signalling' mode streams the virtual browser to attackers via WebRTC, permitting real-time tapping, scrolling, and text entry. Infected apps were distributed through Xiaomi's GetApps, third‑party APK sites, and messaging channels.

🔒 A newly disclosed flaw called WhisperPair (CVE-2025-36911) lets an attacker pair with many Bluetooth headsets by abusing Google Fast Pair requests, even when accessories are not in pairing mode. In roughly 10 seconds and within about 14 meters, a hostile device can assume owner-level privileges, enabling microphone access, audio control, or remote location tracking via Google Find Hub. iPhone and other non‑Android users face elevated risk because an attacker can register the headset to their Google account if it has never been paired to Android. Mitigations include installing vendor firmware updates, performing a factory reset, or using a trusted Android device to claim ownership if no patch is available.

⚠️ Microsoft is enforcing new Intune MAM security requirements beginning January 19 (or shortly after), requiring updated iOS SDKs/wrappers and an updated Android Company Portal to keep apps running. Enterprises that don’t update wrapped or SDK-integrated apps — including Outlook and Teams — risk having those apps blocked from launching. Admins should rebuild or rewrap affected apps, push updates, enable conditional launch policies, and monitor App Protection Status to avoid user outages.

🚨 Black Lotus Labs said it null-routed traffic to more than 550 command-and-control nodes tied to the AISURU/Kimwolf botnet after detecting rapid growth beginning in early October 2025. Researchers attribute the expansion to a malicious ByteConnect SDK delivered to unsanctioned Android TV devices and proxy services that expose Android Debug Bridge (ADB). The botnet, leveraged for DDoS and residential proxy leasing, has infected more than two million devices and has been linked to hosting providers and proxy marketplaces where compromised nodes were offered for sale.

🔒 This article examines how NFC relay attacks built on the open-source NFCGate tool have been adapted by criminals to steal funds via smartphone payments. It describes both the original direct relay—where a victim’s phone reads their card and relays data to a mule—and the newer reverse relay that causes victims to unknowingly emulate an attacker’s card. The author outlines documented campaigns from 2023–2025, malware families involved, and practical precautions to reduce risk.

🔊 Google acknowledged a software bug that causes volume buttons to control the device's Accessibility volume instead of the Media volume when the Select to Speak accessibility service is enabled. The issue also prevents using volume keys as a shutter shortcut in the Camera app. Google has not specified which Android versions or how many users are affected, nor provided an ETA for a permanent fix. A temporary workaround is to disable Select to Speak via Settings → Accessibility.

📱 Group-IB researchers have documented Android malware enabling unauthorized tap-to-pay transactions by remotely relaying NFC card data. Malicious APK samples—over 54 identified—are distributed in Chinese-language Telegram cybercrime communities and often disguise themselves as legitimate financial apps. Attackers use smishing and vishing to get victims to install a 'reader' app and tap their card; a criminal 'tapper' app and illicit POS terminals then complete the payment. Prominent vendors, including TX-NFC, X-NFC and NFU Pay, sell access via subscriptions and support.

🛡️ Researchers report the Kimwolf Android botnet — an Aisuru variant — has grown to nearly two million infected hosts by abusing residential proxy services to reach devices on internal networks. The malware scans for unauthenticated Android Debug Bridge (ADB) endpoints on ports such as 5555 and delivers payloads via telnet/netcat, often targeting low-cost Android TV boxes. Affected devices are used for DDoS, proxy resale, and ad-fraud via third-party SDKs; mitigation includes wiping compromised boxes and preferring Google Play Protect-certified hardware from reputable OEMs.

📱 Group-IB reports that adversaries are increasingly using innocuous-looking dropper APKs to deploy the Android SMS stealer Wonderland, enabling bidirectional C2, USSD execution, and OTP interception. Operators tracked as TrickyWonders coordinate via Telegram, abusing stolen sessions and using fake Google Play pages, Facebook ads, dating apps, and messaging platforms to distribute per-build, heavily obfuscated malware. The move to droppers and rapid domain rotation improves stealth and resilience, amplifying financial theft.