All news with #mobile security tag

📱 ENKI links the North Korean actor Kimsuky to a campaign delivering a new Android remote-access trojan dubbed DocSwap via QR codes on phishing sites impersonating CJ Logistics. Victims are lured by smishing or phishing to scan a QR that prompts installation of a malicious "SecDelivery.apk," which decrypts and loads an embedded payload and requests broad permissions. The app mimics OTP authentication to reassure users while launching a background service that connects to attacker infrastructure and exposes capabilities including keystroke logging, audio and camera capture, and data exfiltration.

🎧 In episode #448 of Smashing Security, Graham Cluley and guest Danny Palmer discuss a Black Hat Europe disclosure showing how a boobytrapped audiobook could exploit an Amazon Kindle e‑reader. The research suggests a malformed audio file might let an attacker gain persistent access, break into an account and seize a saved credit card. The episode also revisits Ireland’s HSE ransomware fallout, where victims were reportedly offered €750 each, and includes a Pick of the Week. Listeners are urged to keep devices updated and monitor accounts for suspicious activity.

🔒 Threat actors are abusing WhatsApp's legitimate device-linking feature in a campaign named GhostPairing, tricking victims into entering pairing codes on fake verification pages. Once a code is submitted, attackers gain full access to conversations and shared media and can send messages as the victim to propagate the lure. Users should check Settings → Linked Devices for unauthorized sessions, block and report suspicious messages, and enable two-factor authentication.

🛡️ Researchers at QiAnXin XLab disclosed a large-scale NDK-compiled botnet dubbed Kimwolf that has infected at least 1.8 million Android-based TVs, set-top boxes, and tablets across multiple countries. The infrastructure issued an estimated 1.7 billion DDoS commands over a three-day period in November 2025 and supports 13 UDP/TCP/ICMP attack methods while also offering proxy forwarding, reverse shell, and file management functions. Operators responded to repeated C2 takedowns by moving to ENS domains and deploying an EtherHiding technique that resolves C2 IPs via a smart contract.

⚠️ Cellik is a new Android malware-as-a-service advertised on underground forums that enables operators to create trojanized copies of legitimate Google Play apps. Attackers can select Play Store apps and build malicious APKs that retain the original UI, potentially helping infections remain unnoticed and, the seller claims, bypass Play Protect. The service, discovered by iVerify, is offered for $150 per month or $900 for lifetime access and includes capabilities such as screen streaming, notification interception, file exfiltration, a hidden browser mode, and an encrypted command-and-control channel.

🔒 Zimperium researchers uncovered a new Android malware family called DroidLock that locks victims’ screens, steals messages and call data, and can remotely control devices via VNC. The threat targets Spanish-speaking users and is distributed through malicious websites that impersonate legitimate apps and deliver a dropper which installs a secondary payload. The payload requests Device Admin and Accessibility privileges to perform actions such as wiping devices, changing lock credentials, recording audio, starting the camera, and placing overlays that capture lock patterns. Operators serve a ransom WebView directing victims to contact a Proton email and threaten permanent file destruction within 24 hours if unpaid.

🔒 A new version of the ClayRat Android spyware significantly expands surveillance and device-control features, researchers at Zimperium report. The campaign now pairs Default SMS privileges with aggressive abuse of Accessibility Services to enable a keylogger that captures PINs, passwords and unlock patterns, full-screen recording via the MediaProjection API, deceptive overlays and automated taps that hinder removal. Over 700 unique APKs and more than 25 active phishing domains — including impersonations of video platforms and car apps — have been observed distributing the malware.

🔎 Amnesty International reports a Pakistani human rights lawyer received a WhatsApp link tied to a Predator 1-click attempt, the first known targeting of Balochistan civil society by Intellexa's spyware. Jointly published leaks and vendor analyses show Predator (also marketed as Helios, Nova and Green Arrow) used messaging, ad-based and ISP-assisted vectors plus multiple zero-day exploits to install surveillance payloads. Google Threat Intelligence Group mapped numerous V8, WebKit, Android kernel and other CVEs to the campaign and documented a modular iOS exploitation framework named JSKit and a post-exploitation payload called PREYHUNTER. The disclosures raise urgent questions about exploit sourcing, customer access to logs, and human rights due diligence.

📣 Leaked documents and coordinated technical reports indicate the Intellexa surveillance consortium continues to develop, sell and operate its Predator spyware despite multiple sanctions. Analyses from Google Threat Intelligence Group, Recorded Future and Amnesty’s Security Lab attribute numerous mobile browser zero-day exploits and new infection methods to the vendor. Amnesty disclosed a novel Aladdin zero-click vector that abuses the mobile advertising ecosystem to deliver malicious ads which infect devices on view, while Recorded Future and Google documented Intellexa’s outsized share of exploited zero-days. The combined findings point to active customers, new nexus entities and ongoing global operations.

📢 Researchers report that the Predator spyware operator Intellexa developed a zero-click delivery mechanism called Aladdin that can infect targets simply by serving a weaponized advertisement. The technique abuses commercial mobile advertising systems and Demand Side Platforms to force malicious ads to specific IPs and devices, with viewing alone triggering redirections to exploit servers. First deployed in 2024 and routed through shell companies across multiple countries, the campaign is corroborated by leaked Intellexa documents and technical analysis from Amnesty, Google, and Recorded Future. Analysts recommend blocking ads, hiding public IPs, and using platform protections, though leaked materials suggest operators can obtain subscriber IP/location data from local mobile operators.

🔒 Google is expanding its Android in-call scam protection to cover several U.S. financial apps, including Cash App and the JPMorgan Chase mobile banking app. The feature, introduced with Android 16, warns users when they launch a financial app while sharing their screen during a call with an unknown number, presenting a persistent 30-second alert that only allows ending the call. The protection runs on Android 11 and later and remains in a testing phase.

🔒 Android is expanding its pilot for in-call scam protection that detects when users launch participating financial apps while screen sharing during calls from unsaved numbers. The feature warns users, offers a one-tap end-call and stop-sharing option, and enforces a 30-second pause to disrupt social engineering. After UK success and pilots in Brazil and India, Google is rolling pilots with US fintechs including Cash App and banks like JPMorganChase.

🔍 Google Threat Intelligence Group (GTIG) analysis shows that Intellexa, vendor of the Predator spyware, continues to develop and deploy zero‑day exploits against mobile browsers and operating systems despite sanctions. GTIG attributes 15 unique zero‑days to Intellexa out of roughly 70 discovered since 2021, spanning RCE, sandbox escape, and LPE flaws on iOS, Android, and Chrome. The company uses modular exploit frameworks, acquires exploit chain steps from third parties, delivers payloads via one‑time messaging links and malvertising, and embeds anti‑analysis watcher modules to abort operations on detection.

🔒 India's Department of Telecommunications (DoT) has directed messaging apps to bind accounts to an active, KYC‑verified SIM linked to the user's mobile number, with platforms required to comply within 90 days. The amendment to the Telecommunications (Telecom Cyber Security) Rules, 2024 aims to curb phishing, cross‑border fraud and remote account takeovers by closing gaps from long‑lived web/desktop sessions. Providers must enforce continuous SIM linkage and force web sessions to log out every six hours, requiring QR re‑linking. The DoT also announced a Mobile Number Validation (MNV) platform for decentralized, privacy‑compliant verification.

⚠️ CISA added two Android Framework vulnerabilities to the KEV Catalog: CVE-2025-48572 (privilege escalation) and CVE-2025-48633 (information disclosure). Both issues show evidence of active exploitation and pose significant risk to the federal enterprise. Under BOD 22-01, FCEB agencies must remediate cataloged vulnerabilities by their due dates; CISA strongly urges all organizations to prioritize timely patching and other mitigations.

🔒 In its December Android Security Bulletin, Google disclosed 107 zero-day vulnerabilities affecting Android and AOSP-based systems, publishing fixes for 51 issues on December 1 and promising the remaining 56 on December 5. Among the patched flaws, two high-severity framework bugs (CVE-2025-48633 and CVE-2025-48572) may be under limited targeted exploitation and affect Android 13–16. The bulletin also lists a critical framework vulnerability (CVE-2025-48631) that can cause a remote denial-of-service without additional privileges. Patches for kernel and third-party components from vendors such as Arm, MediaTek, Qualcomm and others will follow.

🕹️ The UK Information Commissioner's Office has launched a focused review of 10 popular mobile games to assess compliance with the Children’s Code (Age-Appropriate Design Code). The review will scrutinize default privacy settings, geolocation controls, targeted advertising and other design features that could affect children’s privacy. The ICO cited parental research showing high levels of concern about data collection, exposure to strangers and harmful content in mobile games.

🔒 Google released its December 2025 Android security update addressing 107 vulnerabilities across Framework, System, Kernel and components from Arm, Imagination Technologies, MediaTek, Qualcomm, and Unison. Two high-severity Framework defects — CVE-2025-48633 (information disclosure) and CVE-2025-48572 (privilege elevation) — are reported as exploited in the wild. A separate critical Framework issue, CVE-2025-48631, could enable remote DoS without added privileges. Google published two patch levels, 2025-12-01 and 2025-12-05, and users should update promptly when vendors release device-specific builds.

⚠️ The popular open-source SmartTube YouTube client for Android TV was compromised after the developer's signing keys were stolen, allowing a malicious update to be distributed to users. A hidden native library, libalphasdk.so, was discovered in release builds and appears absent from the public source. The library runs silently, fingerprints devices, registers them with a remote backend, and exchanges encrypted configuration, while the developer has revoked the old signature and plans a rebuilt app under a new ID, though definitive safe versions and a full public post-mortem are not yet available.

📱 India’s telecommunications ministry has instructed major handset manufacturers to preload the government-backed cybersecurity app Sanchar Saathi on all new phones within 90 days, according to Reuters. The directive, dated November 28, 2025, reportedly requires the app to be non-removable and non-disableable and mandates pushing it via updates to devices already in the supply chain. Sanchar Saathi enables reporting of fraud and malicious links, blocking and tracking stolen devices, and checking multiple mobile connections; it has more than 11.4 million installs and has helped trace and recover hundreds of thousands of handsets.