< ciso
brief />
Tag Banner

All news with #mobile security tag

205 articles · page 6 of 11

Growing Android Threats in 2026: Fake Apps and NFC Risks

🛡️ In 2025–2026 Android ecosystems saw a sharp rise in malware distributed via sideloading, fake app stores and messaging platforms, alongside a surge in NFC-based cash-out schemes. Kaspersky highlights prolific families such as ClayRat, rising Trojan bankers and preinstalled firmware threats like Triada, and documents social-engineered VPN and relay attacks. The report emphasizes strict mobile hygiene and recommends Kaspersky for Android to detect trojanized APKs, block phishing and mitigate NFC exploits.
read more →

Common Apple Pay Scams and Practical Safety Steps in 2025

🔒 Apple Pay's convenience has made it a target for social-engineering scams; attackers generally manipulate users rather than exploit the platform's tokenization or biometric defenses. The article outlines common schemes — phishing/smishing, marketplace and overpayment/refund frauds, fake receipts, unsolicited payments, and evil‑twin Wi‑Fi — and highlights red flags like requests for 2FA codes. Recommended defenses include enabling Stolen Device Protection, turning on card notifications, using chargeback-eligible cards, and employing a VPN on public networks.
read more →

Android Click-Fraud Malware Uses AI to Tap Hidden Ads

🤖 Researchers at Doctor Web discovered an Android click‑fraud trojan family that leverages TensorFlow.js to visually detect and interact with advertisement elements inside a hidden WebView. In a 'phantom' mode the malware renders a virtual screen, captures screenshots, and feeds them to an ML model to identify and tap the correct UI element, avoiding DOM-based click routines. A separate 'signalling' mode streams the virtual browser to attackers via WebRTC, permitting real-time tapping, scrolling, and text entry. Infected apps were distributed through Xiaomi's GetApps, third‑party APK sites, and messaging channels.
read more →

WhisperPair: Bluetooth Headset Tracking Vulnerability

🔒 A newly disclosed flaw called WhisperPair (CVE-2025-36911) lets an attacker pair with many Bluetooth headsets by abusing Google Fast Pair requests, even when accessories are not in pairing mode. In roughly 10 seconds and within about 14 meters, a hostile device can assume owner-level privileges, enabling microphone access, audio control, or remote location tracking via Google Find Hub. iPhone and other non‑Android users face elevated risk because an attacker can register the headset to their Google account if it has never been paired to Android. Mitigations include installing vendor firmware updates, performing a factory reset, or using a trusted Android device to claim ownership if no patch is available.
read more →

Intune MAM update enforces latest SDKs or blocks apps

⚠️ Microsoft is enforcing new Intune MAM security requirements beginning January 19 (or shortly after), requiring updated iOS SDKs/wrappers and an updated Android Company Portal to keep apps running. Enterprises that don’t update wrapped or SDK-integrated apps — including Outlook and Teams — risk having those apps blocked from launching. Admins should rebuild or rewrap affected apps, push updates, enable conditional launch policies, and monitor App Protection Status to avoid user outages.
read more →

Kimwolf/AISURU Botnet Infects Over Two Million Devices

🚨 Black Lotus Labs said it null-routed traffic to more than 550 command-and-control nodes tied to the AISURU/Kimwolf botnet after detecting rapid growth beginning in early October 2025. Researchers attribute the expansion to a malicious ByteConnect SDK delivered to unsanctioned Android TV devices and proxy services that expose Android Debug Bridge (ADB). The botnet, leveraged for DDoS and residential proxy leasing, has infected more than two million devices and has been linked to hosting providers and proxy marketplaces where compromised nodes were offered for sale.
read more →

NFCGate Relay Attacks: Evolving Mobile Payment Fraud

🔒 This article examines how NFC relay attacks built on the open-source NFCGate tool have been adapted by criminals to steal funds via smartphone payments. It describes both the original direct relay—where a victim’s phone reads their card and relays data to a mule—and the newer reverse relay that causes victims to unknowingly emulate an attacker’s card. The author outlines documented campaigns from 2023–2025, malware families involved, and practical precautions to reduce risk.
read more →

Google Confirms Android Bug Affecting Volume Keys on Devices

🔊 Google acknowledged a software bug that causes volume buttons to control the device's Accessibility volume instead of the Media volume when the Select to Speak accessibility service is enabled. The issue also prevents using volume keys as a shutter shortcut in the Camera app. Google has not specified which Android versions or how many users are affected, nor provided an ETA for a permanent fix. A temporary workaround is to disable Select to Speak via Settings → Accessibility.
read more →

Ghost Tap Malware Drives Remote NFC Payment Fraud Surge

📱 Group-IB researchers have documented Android malware enabling unauthorized tap-to-pay transactions by remotely relaying NFC card data. Malicious APK samples—over 54 identified—are distributed in Chinese-language Telegram cybercrime communities and often disguise themselves as legitimate financial apps. Attackers use smishing and vishing to get victims to install a 'reader' app and tap their card; a criminal 'tapper' app and illicit POS terminals then complete the payment. Prominent vendors, including TX-NFC, X-NFC and NFU Pay, sell access via subscriptions and support.
read more →

Kimwolf Android Botnet Abuses Residential Proxies Widely

🛡️ Researchers report the Kimwolf Android botnet — an Aisuru variant — has grown to nearly two million infected hosts by abusing residential proxy services to reach devices on internal networks. The malware scans for unauthenticated Android Debug Bridge (ADB) endpoints on ports such as 5555 and delivers payloads via telnet/netcat, often targeting low-cost Android TV boxes. Affected devices are used for DDoS, proxy resale, and ad-fraud via third-party SDKs; mitigation includes wiping compromised boxes and preferring Google Play Protect-certified hardware from reputable OEMs.
read more →

Android SMS Stealer and Droppers Unite in Scaled Attacks

📱 Group-IB reports that adversaries are increasingly using innocuous-looking dropper APKs to deploy the Android SMS stealer Wonderland, enabling bidirectional C2, USSD execution, and OTP interception. Operators tracked as TrickyWonders coordinate via Telegram, abusing stolen sessions and using fake Google Play pages, Facebook ads, dating apps, and messaging platforms to distribute per-build, heavily obfuscated malware. The move to droppers and rapid domain rotation improves stealth and resilience, amplifying financial theft.
read more →

Kimsuky Distributes DocSwap Android RAT via QR Phish

📱 ENKI links the North Korean actor Kimsuky to a campaign delivering a new Android remote-access trojan dubbed DocSwap via QR codes on phishing sites impersonating CJ Logistics. Victims are lured by smishing or phishing to scan a QR that prompts installation of a malicious "SecDelivery.apk," which decrypts and loads an embedded payload and requests broad permissions. The app mimics OTP authentication to reassure users while launching a background service that connects to attacker infrastructure and exposes capabilities including keystroke logging, audio and camera capture, and data exfiltration.
read more →

Smashing Security 448: Kindle exploit, account and card risk

🎧 In episode #448 of Smashing Security, Graham Cluley and guest Danny Palmer discuss a Black Hat Europe disclosure showing how a boobytrapped audiobook could exploit an Amazon Kindle e‑reader. The research suggests a malformed audio file might let an attacker gain persistent access, break into an account and seize a saved credit card. The episode also revisits Ireland’s HSE ransomware fallout, where victims were reportedly offered €750 each, and includes a Pick of the Week. Listeners are urged to keep devices updated and monitor accounts for suspicious activity.
read more →

WhatsApp device-linking abused in GhostPairing campaign

🔒 Threat actors are abusing WhatsApp's legitimate device-linking feature in a campaign named GhostPairing, tricking victims into entering pairing codes on fake verification pages. Once a code is submitted, attackers gain full access to conversations and shared media and can send messages as the victim to propagate the lure. Users should check Settings → Linked Devices for unauthorized sessions, block and report suspicious messages, and enable two-factor authentication.
read more →

Kimwolf Botnet Hijacks 1.8M Android TV Devices Worldwide

🛡️ Researchers at QiAnXin XLab disclosed a large-scale NDK-compiled botnet dubbed Kimwolf that has infected at least 1.8 million Android-based TVs, set-top boxes, and tablets across multiple countries. The infrastructure issued an estimated 1.7 billion DDoS commands over a three-day period in November 2025 and supports 13 UDP/TCP/ICMP attack methods while also offering proxy forwarding, reverse shell, and file management functions. Operators responded to repeated C2 takedowns by moving to ENS domains and deploying an EtherHiding technique that resolves C2 IPs via a smart contract.
read more →

Cellik Android MaaS Builds Malicious Play Store Apps

⚠️ Cellik is a new Android malware-as-a-service advertised on underground forums that enables operators to create trojanized copies of legitimate Google Play apps. Attackers can select Play Store apps and build malicious APKs that retain the original UI, potentially helping infections remain unnoticed and, the seller claims, bypass Play Protect. The service, discovered by iVerify, is offered for $150 per month or $900 for lifetime access and includes capabilities such as screen streaming, notification interception, file exfiltration, a hidden browser mode, and an encrypted command-and-control channel.
read more →

DroidLock Android Malware Locks Devices, Demands Ransom

🔒 Zimperium researchers uncovered a new Android malware family called DroidLock that locks victims’ screens, steals messages and call data, and can remotely control devices via VNC. The threat targets Spanish-speaking users and is distributed through malicious websites that impersonate legitimate apps and deliver a dropper which installs a secondary payload. The payload requests Device Admin and Accessibility privileges to perform actions such as wiping devices, changing lock credentials, recording audio, starting the camera, and placing overlays that capture lock patterns. Operators serve a ransom WebView directing victims to contact a Proton email and threaten permanent file destruction within 24 hours if unpaid.
read more →

ClayRat Android Spyware Upgraded with Greater Control

🔒 A new version of the ClayRat Android spyware significantly expands surveillance and device-control features, researchers at Zimperium report. The campaign now pairs Default SMS privileges with aggressive abuse of Accessibility Services to enable a keylogger that captures PINs, passwords and unlock patterns, full-screen recording via the MediaProjection API, deceptive overlays and automated taps that hinder removal. Over 700 unique APKs and more than 25 active phishing domains — including impersonations of video platforms and car apps — have been observed distributing the malware.
read more →

Intellexa Predator Leaks Reveal Zero-Days and Ad Abuse

🔎 Amnesty International reports a Pakistani human rights lawyer received a WhatsApp link tied to a Predator 1-click attempt, the first known targeting of Balochistan civil society by Intellexa's spyware. Jointly published leaks and vendor analyses show Predator (also marketed as Helios, Nova and Green Arrow) used messaging, ad-based and ISP-assisted vectors plus multiple zero-day exploits to install surveillance payloads. Google Threat Intelligence Group mapped numerous V8, WebKit, Android kernel and other CVEs to the campaign and documented a modular iOS exploitation framework named JSKit and a post-exploitation payload called PREYHUNTER. The disclosures raise urgent questions about exploit sourcing, customer access to logs, and human rights due diligence.
read more →

Intellexa's Predator Spyware Continues Despite Sanctions

📣 Leaked documents and coordinated technical reports indicate the Intellexa surveillance consortium continues to develop, sell and operate its Predator spyware despite multiple sanctions. Analyses from Google Threat Intelligence Group, Recorded Future and Amnesty’s Security Lab attribute numerous mobile browser zero-day exploits and new infection methods to the vendor. Amnesty disclosed a novel Aladdin zero-click vector that abuses the mobile advertising ecosystem to deliver malicious ads which infect devices on view, while Recorded Future and Google documented Intellexa’s outsized share of exploited zero-days. The combined findings point to active customers, new nexus entities and ongoing global operations.
read more →