Android | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have demonstrated a proof-of-concept (PoC) rootkit dubbed Curing that leverages a Linux asynchronous I/O mechanism called io_uring to bypass traditional system call monitoring. This causes a "major blind spot in Linux runtime security tools," ARMO said. "This mechanism allows a user application to perform various actions without using system calls," the company said in a report shared with The Hacker News. "As a result, security tools relying on system call monitoring are blind' to rootkits working solely on io_uring." io_uring, first introduced in Linux kernel version 5.1 in March 2019, is a Linux kernel system call interface that employs two circular buffers called a submission queue (SQ) and a completion queue (CQ) between the kernel and an application (i.e., user space) to track the submission and completion of I/O requests in an asynchronous manner. The rootkit devised by ARMO facilitates communication between ...

Cybersecurity researchers have revealed that Russian military personnel are the target of a new malicious campaign that distributes Android spyware under the guise of the Alpine Quest mapping software. "The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs," Doctor Web said in an analysis. The trojan has been found embedded in older versions of the software and propagated as a freely available variant of Alpine Quest Pro , a paid offering that removes advertising and analytics features. The Russian cybersecurity vendor said it also observed the malware, dubbed Android.Spy.1292.origin, being distributed in the form of an APK file via a fake Telegram channel. While the threat actors initially provided a link for downloading the app in one of the Russian app catalogs through the Telegram channel, the trojanized version was later distributed directly as an A...

The problem is simple: all breaches start with initial access, and initial access comes down to two primary attack vectors – credentials and devices. This is not news; every report you can find on the threat landscape depicts the same picture.  The solution is more complex. For this article, we'll focus on the device threat vector. The risk they pose is significant, which is why device management tools like Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) are essential components of an organization's security infrastructure. However, relying solely on these tools to manage device risk actually creates a false sense of security. Instead of the blunt tools of device management, organizations are looking for solutions that deliver device trust . Device trust provides a comprehensive, risk-based approach to device security enforcement, closing the large gaps left behind by traditional device management solutions. Here are 5 of those limitations and how to ov...

A new Android malware-as-a-service (MaaS) platform named SuperCard X can facilitate near-field communication ( NFC ) relay attacks, enabling cybercriminals to conduct fraudulent cashouts. The active campaign is targeting customers of banking institutions and card issuers in Italy with an aim to compromise payment card data, fraud prevention firm Cleafy said in an analysis. There is evidence to suggest that the service is promoted on Telegram channels. SuperCard X "employs a multi-stage approach combining social engineering (via smishing and phone calls), malicious application installation, and NFC data interception for highly effective fraud," security researchers Federico Valentini‍, Alessandro Strino, and Michele Roviello said . The new Android malware, the work of a Chinese-speaking threat actor, has been observed being propagated via three different bogus apps, duping victims into installing them via social engineering techniques like deceptive SMS or WhatsApp mess...

Cybersecurity researchers have found that threat actors are setting up deceptive websites hosted on newly registered domains to deliver a known Android malware called SpyNote . These bogus websites masquerade as Google Play Store install pages for apps like the Chrome web browser, indicating an attempt to deceive unsuspecting users into installing the malware instead. "The threat actor utilized a mix of English and Chinese-language delivery sites and included Chinese-language comments within the delivery site code and the malware itself," the DomainTools Investigations (DTI) team said in a report shared with The Hacker News. SpyNote (aka SpyMax) is a remote access trojan long known for its ability to harvest sensitive data from compromised Android devices by abusing accessibility services. In May 2024, the malware was propagated via another bogus site impersonating a legitimate antivirus solution known as Avast. Subsequent analysis by mobile security firm Zimperium h...

A novice cybercrime actor has been observed leveraging the services of a Russian bulletproof hosting ( BPH ) provider called Proton66 to facilitate their operations. The findings come from DomainTools, which detected the activity after it discovered a phony website named cybersecureprotect[.]com hosted on Proton66 that masqueraded as an antivirus service. The threat intelligence firm said it identified an operational security (OPSEC) failure in the domain that left its malicious infrastructure exposed, thereby revealing the malicious payloads staged on the server.  "This revelation led us down a rabbit hole into the operations of an emerging threat actor known as Coquettte – an amateur cybercriminal leveraging Proton66's bulletproof hosting to distribute malware and engage in other illicit activities," it said in a report shared with The Hacker News. Proton66, also linked to another BPH service known as PROSPERO, has been attributed to several campaigns distribut...

Counterfeit versions of popular smartphone models that are sold at reduced prices have been found to be preloaded with a modified version of an Android malware called Triada . "More than 2,600 users in different countries have encountered the new version of Triada, the majority in Russia," Kaspersky said in a report. The infections were recorded between March 13 and 27, 2025.  Triada is the name given to a modular Android malware family that was first discovered by the Russian cybersecurity company in March 2016. A remote access trojan (RAT), it's equipped to steal a wide range of sensitive information, as well as enlist infected devices into a botnet for other malicious activities. While the malware was previously observed being distributed via intermediate apps published on the Google Play Store (and elsewhere) that gained root access to the compromised phones, subsequent campaigns have leveraged WhatsApp mods like FMWhatsApp and YoWhatsApp as a propagation vec...

A new sophisticated phishing-as-a-service (PhaaS) platform called Lucid has targeted 169 entities in 88 countries using smishing messages propagated via Apple iMessage and Rich Communication Services (RCS) for Android. Lucid's unique selling point lies in its weaponizing of legitimate communication platforms to sidestep traditional SMS-based detection mechanisms. "Its scalable, subscription-based model enables cybercriminals to conduct large-scale phishing campaigns to harvest credit card details for financial fraud," Swiss cybersecurity company PRODAFT said in a technical report shared with The Hacker News. "Lucid leverages Apple iMessage and Android's RCS technology, bypassing traditional SMS spam filters and significantly increasing delivery and success rates." Lucid is assessed to be the work of a Chinese-speaking hacking crew called the XinXin group (aka Black Technology), with the phishing campaigns mainly targeting Europe, the United Kingdom, an...

Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that's primarily designed to target users in Spain and Turkey. "Crocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging," ThreatFabric said . As with other banking trojans of its kind, the malware is designed to facilitate device takeover ( DTO ) and ultimately conduct fraudulent transactions. An analysis of the source code and the debug messages reveals that the malware author is Turkish-speaking. The Crocodilus artifacts analyzed by the Dutch mobile security company masquerade as Google Chrome (package name: "quizzical.washbowl.calamity"), which act as a dropper capable of  bypassing Android 13+ restrictions .  Once installed and launched, the app requests permission to Android's access...

An Android malware family previously observed targeting Indian military personnel has been linked to a new campaign likely aimed at users in Taiwan under the guise of chat apps. "PJobRAT can steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices," Sophos security researcher Pankaj Kohli said in a Thursday analysis. PJobRAT, first documented in 2021, has a track record of being used against Indian military-related targets. Subsequent iterations of the malware have been discovered masquerading as dating and instant messaging apps to deceive prospective victims. It's known to be active since at least late 2019. In November 2021, Meta attributed a Pakistan-aligned threat actor dubbed SideCopy – believed to be a sub-cluster within Transparent Tribe – to the use of PJobRAT and Mayhem as part of highly-targeted attacks directed against people in Afghanistan, specifically those with ties to government, mil...

An advanced persistent threat (APT) group with ties to Pakistan has been attributed to the creation of a fake website masquerading as India's public sector postal system as part of a campaign designed to infect both Windows and Android users in the country. Cybersecurity company CYFIRMA has attributed the campaign with medium confidence to a threat actor called APT36 , which is also known as Transparent Tribe.  The fraudulent website mimicking India Post is named "postindia[.]site." Users who land on the site from Windows systems are prompted to download a PDF document, whereas those visiting from an Android device are served a malicious application package ("indiapost.apk") file. "When accessed from a desktop, the site delivers a malicious PDF file containing ' ClickFix ' tactics," CYFIRMA said . "The document instructs users to press the Win + R keys, paste a provided PowerShell command into the Run dialog, and execute it – potentia...

Hackers have long used Word and Excel documents as delivery vehicles for malware, and in 2025, these tricks are far from outdated. From phishing schemes to zero-click exploits, malicious Office files are still one of the easiest ways into a victim's system. Here are the top three Microsoft Office-based exploits still making the rounds this year and what you need to know to avoid them. 1. Phishing in MS Office: Still Hackers' Favorite Phishing attacks using Microsoft Office files have been around for years, and they're still going strong. Why? Because they work, especially in business environments where teams constantly exchange Word and Excel documents. Attackers know that people are used to opening Office files, especially if they come from what looks like a colleague, a client, or a partner. A fake invoice, a shared report, or a job offer: it doesn't take much to convince someone to click. And once the file is open, the attacker has their chance. Phishing with Offic...

Cybersecurity researchers are calling attention to an Android malware campaign that leverages Microsoft's .NET Multi-platform App UI (.NET MAUI) framework to create bogus banking and social media apps targeting Indian and Chinese-speaking users. "These threats disguise themselves as legitimate apps, targeting users to steal sensitive information," McAfee Labs researcher Dexter Shin said . .NET MAUI is Microsoft's cross-platform desktop and mobile app framework for creating native applications using C# and XAML. It represents an evolution of Xamarin, with added capabilities to not only create multi-platform apps using a single project, but also incorporate platform-specific source code as and when necessary. It's worth noting that official support for Xamarin ended on May 1, 2024 , with the tech giant urging developers to migrate to .NET MAUI. While Android malware implemented using Xamarin has been detected in the past , the latest development signals that ...

The GSM Association (GSMA) has formally announced support for end-to-end encryption (E2EE) for securing messages sent via the Rich Communications Services (RCS) protocol, bringing much-needed security protections to cross-platform messages shared between Android and iOS platforms. To that end, the new GSMA specifications for RCS include E2EE based on the Messaging Layer Security (MLS) protocol via what's called the RCS Universal Profile 3.0 . "The new specifications define how to apply MLS within the context of RCS," Tom Van Pelt, technical director of GSMA, said . "These procedures ensure that messages and other content such as files remain confidential and secure as they travel between clients." This also means that RCS will be the first "large-scale messaging service" to have support for interoperable E2EE between different client implementations from different providers in the near future. It's worth noting that Google's own implemen...

The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting Korean and English-speaking users. Lookout, which shared details of the malware campaign, said the earliest versions date back to March 2022. The most recent samples were flagged in March 2024. It's not clear how successful these efforts were. "KoSpy can collect extensive data, such as SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins," the company said in an analysis. The malicious artifacts masquerade as utility applications on the official Google Play Store, using the names File Manager, Phone Manager, Smart Manager, Software Update Utility, and Kakao Security to trick unsuspecting users into infecting their own devices. All the identified apps offer the promised functionality to avoid raising suspicion while stealthily deploying spyware-related components in the backg...