< ciso
brief />
Tag Banner

All news with #mobile security tag

205 articles · page 9 of 11

How Android Uses AI to Protect Users from Scams Globally

🔒 Android applies layered Google AI to anticipate and block mobile scams before they reach users. Built-in protections—such as Google Messages spam filtering and on-device Scam Detection, plus Phone by Google automatic call blocking and Call Screen—identify conversational scam patterns and surface real-time warnings. Android blocks over 10 billion suspected malicious calls and messages monthly and recently stopped more than 100 million suspicious numbers from using RCS. Protections are ephemeral, on-device where possible, and continuously updated to adapt to evolving threats.
read more →

Google's Android AI Blocks Billions of Scam Messages

📱 Google says built-in scam defenses on Android prevent more than 10 billion suspected malicious calls and messages every month and have blocked over 100 million suspicious numbers from using RCS. The company uses on-device artificial intelligence to filter likely spam into the "spam & blocked" folder in Google Messages and recently rolled out safer link warnings for flagged messages. Analysis of user reports in August 2025 identified employment fraud as the most common scam type, while scammers increasingly employ group-message tactics and time-of-day scheduling to increase success rates.
read more →

Herodotus Android Trojan Mimics Humans to Evade Fraud

⚠️ Herodotus, a new Android banking trojan, has been observed conducting device takeover (DTO) attacks in Italy and Brazil and was advertised as a malware‑as‑a‑service supporting Android 9–16. According to ThreatFabric, it abuses accessibility services and overlay screens to steal credentials and SMS 2FA, intercept the screen, and install remote APKs. Uniquely, operators added randomized typing delays (300–3000 ms) to mimic human input and evade behaviour‑based anti‑fraud detections.
read more →

Herodotus Android malware mimics human typing behavior

🛡️ Herodotus is a newly observed Android malware family offered as a MaaS that deliberately mimics human input timing to evade behavior-based detection. Threat Fabric says operators likely linked to Brokewell are distributing a dropper via smishing targeting Italian and Brazilian users. The installer requests Accessibility access and uses deceptive overlays to hide permission flows while a built-in "humanizer" inserts randomized 0.3–3s delays between keystrokes to imitate human typing. Users should avoid sideloading APKs, enable Play Protect, and promptly review or revoke Accessibility permissions for unfamiliar apps.
read more →

Samsung Galaxy S25 Hacked at Pwn2Own Ireland 2025 Event

🔒 At Pwn2Own Ireland 2025, researchers from Mobile Hacking Lab and Summoning Team successfully exploited a Samsung Galaxy S25 using a five‑vulnerability chain to achieve code execution. The findings, credited to Ken Gannon and Dimitrios Valsamaras, were surrendered to Samsung under the event's coordinated disclosure rules. Hours later a second team, Interrupt Labs, used an improper input validation bug to seize camera and location access. Each team received $50,000; Samsung has 90 days to issue fixes.
read more →

AI-Powered Mobile Threats Elevate Need to Rethink Security

📱 The 2025 Verizon Mobile Security Index underscores growing danger as mobile devices account for the majority of global internet traffic and increasingly serve as primary attack surfaces. Check Point highlights the rise of AI-powered threats, persistent phishing, and human error that expand exposure. Organizations must rethink security architectures, strengthen endpoint controls, and adopt AI-aware defenses across apps, devices, and identities to reduce risk.
read more →

Supporting Teens Online: Beyond Bans Toward Guidance

👪 The early teen years are pivotal for digital development, and trust between parents and teens matters more than any single setting. Tools like Family Link and YouTube’s supervised experience are valuable, but parents juggling multiple children, apps and devices need simpler solutions—AI assistants could configure age- and app-specific controls. Rather than blanket bans, the piece calls for thoughtful restrictions developed with parents, schools and communities alongside independent digital literacy standards.
read more →

Pixnapping: Pixel-by-pixel Android MFA code theft

🔍 A new side‑channel attack called Pixnapping allows a permissionless Android app to infer and reconstruct on‑screen pixels and steal sensitive content such as one‑time authentication codes, chat messages, and emails. The technique abuses Android intents and SurfaceFlinger compositing to isolate and enlarge individual pixels, then uses a GPU compression side channel to leak visual data. The proof‑of‑concept from a team of seven U.S. university researchers works on modern Pixel and Samsung devices and can extract 2FA codes in under 30 seconds; Google issued an initial mitigation (CVE‑2025‑48561) in September that was bypassed, and a broader fix is planned for December 2025, with Samsung committing to patches as well.
read more →

ClayRat Android spyware mimics popular apps to spread

📱 A new Android spyware campaign called ClayRat is tricking users by posing as well-known apps and services such as WhatsApp, Google Photos, TikTok, and YouTube and distributing APKs via Telegram channels and fraudulent websites. Researchers at Zimperium say they documented over 600 samples and 50 distinct droppers in three months, noting that some use a session-based installation and encrypted payloads to bypass Android defenses. Once installed, ClayRat can assume the default SMS handler, exfiltrate SMS and call logs, capture notifications and front-camera photos, make calls, send mass SMS for propagation, and communicate with C2 servers (recent versions use AES-GCM); Play Protect now blocks known variants.
read more →

ClayRat Android Spyware Uses Fake Apps to Spread in Russia

📱 A new Android spyware campaign known as ClayRat has been observed targeting users in Russia through fake app installers and Telegram channels. Operators impersonate popular apps such as WhatsApp, TikTok, Google Photos, and YouTube to trick victims into sideloading APKs or running lightweight droppers that reveal hidden encrypted payloads. Once active, the malware requests default SMS status and can exfiltrate SMS, call logs, notifications, device details, take photos, and even send messages or place calls while automatically propagating to contacts. Zimperium reports roughly 600 samples and 50 droppers detected in the last 90 days, with continuous obfuscation to evade defenses.
read more →

ClayRat Android Spyware Turns Phones Into SMS Hubs

🔔 A fast-evolving Android spyware campaign dubbed ClayRat has produced over 600 samples and 50 droppers in three months, researchers say. The malware is distributed via phishing sites and Telegram channels that impersonate popular apps like TikTok, YouTube and Google Photos to trick users into sideloading infected APKs. Once granted SMS privileges, ClayRat can read and send messages, harvest contacts and call logs, take front-camera photos, exfiltrate data to C2 servers, and automatically text malicious links to all contacts, turning each compromised device into a propagation hub.
read more →

ClayRat Android Spyware Campaign Targets Russian Users

🛡️Researchers at Zimperium zLabs have identified a rapidly evolving Android spyware campaign, dubbed ClayRat, targeting users in Russia via Telegram channels and phishing sites. The malware is distributed inside fake apps impersonating services such as WhatsApp, TikTok, Google Photos and YouTube, and operators are using fake reviews, download counts and step-by-step guides to trick victims. Once granted privileges, ClayRat can exfiltrate SMS, call logs and notifications, take front-camera photos, and even send messages or place calls while abusing Android's SMS handler role. Security firms report over 600 samples and coordinated disclosure to Google resulted in Play Protect protections.
read more →

How Uber Appears to Know Your Location on iOS Devices

📍 iPhone users have reported receiving airport pickup prompts from Uber even when the app’s location permission is set to Only While Using. The notifications are generated locally by iOS using Apple’s UNLocationNotificationTrigger, which fires preconfigured alerts when a device enters or exits a geofenced area. Uber does not receive location data until you open the app, but the notification’s wording can misleadingly suggest active tracking.
read more →

Study Finds Major Security Flaws in Popular Free VPN Apps

🔍 Zimperium zLabs’ analysis of 800 Android and iOS free VPN apps found widespread privacy and security weaknesses, including outdated libraries, weak encryption, and misleading privacy disclosures. The report highlights concrete failures such as vulnerable OpenSSL builds (including Heartbleed-era versions), roughly 1% of apps permitting Man-in-the-Middle decryption, and about 25% of iOS apps lacking valid privacy manifests. Researchers warn excessive permission requests and private entitlements increase risk, especially in BYOD and remote-work environments, and recommend stronger security models, endpoint visibility and zero-trust approaches.
read more →

Google Pixel Phones Added to DoDIN APL for Federal Use

🔒 Google Pixel phones have been added to the DoDIN APL, allowing federal agencies to procure devices that meet Department of Defense network security requirements. Pixel 9 hardware and integrated on-device protections combine with Google Cloud for secure remote management, 5G connectivity, and AI-enabled workflows. Use cases include secure field capture, centralized analytics, and pilots such as TrackInspect for transit infrastructure safety.
read more →

Android spyware campaigns impersonate Signal and ToTok

🔒 Two newly identified Android spyware campaigns, dubbed ProSpy and ToSpy, impersonate Signal and ToTok to trick users into installing malicious APKs masquerading as a Signal encryption plugin or a Pro ToTok build. The malware requests standard messenger permissions and exfiltrates contacts, SMS, media, app lists and ToTok backups. ESET found distribution via cloned websites and noted persistence techniques to survive reboots. Users in the UAE appear to be targeted; download apps only from official stores or publishers and keep Play Protect enabled.
read more →

Android Spyware Posing as Signal Plugin and ToTok Pro

⚠️ Researchers at ESET have uncovered two Android spyware campaigns, ProSpy and ToSpy, that masquerade as a Signal encryption plugin and a ToTok Pro upgrade to target users in the U.A.E. Distributed via fake websites and social engineering, these apps require manual installation and request extensive permissions to persist and exfiltrate contacts, messages, media and device data. Users are advised to avoid installing apps from unofficial sources and to disable installations from unknown origins.
read more →

Android spyware targeting Signal and ToTok users in UAE

🔒 ESET researchers uncovered two previously undocumented Android spyware families—Android/Spy.ProSpy and Android/Spy.ToSpy—distributed via deceptive websites that impersonate Signal, ToTok and even app stores. Both families require manual APK installation from third‑party sites and maintain persistence while exfiltrating contacts, media, documents and chat backups. ToSpy notably seeks .ttkmbackup files and uses AES‑CBC encryption with a hardcoded key; several C&C servers remained active. Google Play Protect already blocks known variants, and ESET shared findings with Google.
read more →

Android malware uses VNC to give attackers hands-on access

🔒 Klopatra is a newly observed Android banking and remote access trojan distributed via a sideloaded dropper app called Modpro IP TV + VPN that has infected over 3,000 devices across Europe. The malware abuses Android Accessibility to capture inputs, exfiltrate clipboard content, simulate taps and gestures, and monitor screens. A concealed black‑screen VNC mode lets operators interact with devices and perform manual bank transactions while the device appears idle. Cleafy notes extensive anti-analysis protections, use of commercial packers, and active development since March 2025.
read more →

F-Droid: Google developer verification may end project

⚠️ F-Droid warns that Google’s planned Developer Verification rule — requiring identity verification for all developers on certified Android devices starting in 2026 — could effectively end the project and restrict access to many free, open-source apps. F-Droid, which builds reproducible packages, checks for trackers and allows anonymous downloading without accounts, says many open-source authors will refuse to register or pay fees and that F-Droid cannot seize app identifiers on their behalf. Google says sideloading will remain possible for verified developers, with exemptions for hobbyists and no change to Android Studio workflows.
read more →