Android | Breaking Cybersecurity News | The Hacker News

A growing number of malicious campaigns have leveraged a recently discovered Android banking trojan called Crocodilus to target users in Europe and South America. The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis and detection, and includes the ability to create new contacts in the victim's contacts list. "Recent activity reveals multiple campaigns now targeting European countries while continuing Turkish campaigns and expanding globally to South America," the Dutch security company said . Crocodilus was first publicly documented in March 2025 as targeting Android device users in Spain and Turkey by masquerading as legitimate apps like Google Chrome. The malware comes fitted with capabilities to launch overlay attacks against a list of financial apps retrieved from an external server to harvest credentials. It also abuses accessibility services permissions to capture seed phrases as...

Three security vulnerabilities have been disclosed in preloaded Android applications on smartphones from Ulefone and Krüger&Matz that could enable any app installed on the device to perform a factory reset and encrypt an application. A brief description of the three flaws is as follows - CVE-2024-13915 (CVSS score: 6.9) - A pre-installed "com.pri.factorytest" application on Ulefone and Krüger&Matz smartphones exposes a "com.pri.factorytest.emmc.FactoryResetService" service that allows any installed application to perform a factory reset of the device. CVE-2024-13916 (CVSS score: 6.9) - A pre-installed "com.pri.applock" application on Kruger&Matz smartphones allows a user to encrypt any application using user-provided PIN code or by using biometric data. The app also exposes a "com.android.providers.settings.fingerprint.PriFpShareProvider" content provider's "query()" method that permits any malicious app already ...

Qualcomm has shipped security updates to address three zero-day vulnerabilities that it said have been exploited in limited, targeted attacks in the wild. The flaws in question, which were responsibly disclosed to the company by the Google Android Security team, are listed below - CVE-2025-21479 and CVE-2025-21480 (CVSS score: 8.6) - Two incorrect authorization vulnerabilities in the Graphics component that could result in memory corruption due to unauthorized command execution in GPU microcode while executing a specific sequence of commands CVE-2025-27038 (CVSS score: 7.5) - A use-after-free vulnerability in the Graphics component that could result in memory corruption while rendering graphics using Adreno GPU drivers in Chrome "There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation," Qualcomm said in an advisory. "Patches for the issues affecting the Adreno Grap...

Cybersecurity researchers have discovered a new campaign that employs malicious JavaScript injections to redirect site visitors on mobile devices to a Chinese adult-content Progressive Web App (PWA) scam. "While the payload itself is nothing new (yet another adult gambling scam), the delivery method stands out," c/side researcher Himanshu Anand said in a Tuesday analysis. "The malicious landing page is a full-blown Progressive Web App ( PWA ), likely aiming to retain users longer and bypass basic browser protections." The campaign is designed to explicitly filter out desktop users, primarily focusing on mobile users. The activity has been described as a client-side attack that uses third-party JavaScript and only triggers on mobile devices. The use of PWAs, a type of application built using web technologies that provide a user experience similar to that of a native app built for a specific platform like Windows, Linux, macOS, Android, or iOS, is seen as an at...

Google on Thursday announced it's rolling out new artificial intelligence (AI)-powered countermeasures to combat scams across Chrome, Search, and Android. The tech giant said it will begin using Gemini Nano , its on-device large language model (LLM), to improve Safe Browsing in Chrome 137 on desktops. "The on-device approach provides instant insight on risky websites and allows us to offer protection, even against scams that haven't been seen before. Gemini Nano's LLM is perfect for this use because of its ability to distill the varied, complex nature of websites, helping us adapt to new scam tactics more quickly," the company said . Google noted that it's already using this AI-driven approach to tackle remote tech support scams, which often seek to trick users into parting with their personal or financial information under the pretext of a non-existent computer problem. This works by evaluating the web pages using the LLM for potential signals that are...

Google has released its monthly security updates for Android with fixes for 46 security flaws, including one vulnerability that it said has been exploited in the wild. The vulnerability in question is CVE-2025-27363 (CVSS score: 8.1), a high-severity flaw in the System component that could lead to local code execution without requiring any additional execution privileges. "The most severe of these issues is a high security vulnerability in the System component that could lead to local code execution with no additional execution privileges needed," Google said in a Monday advisory. "User interaction is not needed for exploitation." It's worth noting that CVE-2025-27363 is rooted in the FreeType open-source font rendering library. It was first disclosed by Facebook in March 2025 as having been exploited in the wild. The shortcoming has been described as an out-of-bounds write flaw that could result in code execution when parsing TrueType GX and variable fo...

Cybersecurity researchers have demonstrated a proof-of-concept (PoC) rootkit dubbed Curing that leverages a Linux asynchronous I/O mechanism called io_uring to bypass traditional system call monitoring. This causes a "major blind spot in Linux runtime security tools," ARMO said. "This mechanism allows a user application to perform various actions without using system calls," the company said in a report shared with The Hacker News. "As a result, security tools relying on system call monitoring are blind' to rootkits working solely on io_uring." io_uring, first introduced in Linux kernel version 5.1 in March 2019, is a Linux kernel system call interface that employs two circular buffers called a submission queue (SQ) and a completion queue (CQ) between the kernel and an application (i.e., user space) to track the submission and completion of I/O requests in an asynchronous manner. The rootkit devised by ARMO facilitates communication between ...

Cybersecurity researchers have revealed that Russian military personnel are the target of a new malicious campaign that distributes Android spyware under the guise of the Alpine Quest mapping software. "The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs," Doctor Web said in an analysis. The trojan has been found embedded in older versions of the software and propagated as a freely available variant of Alpine Quest Pro , a paid offering that removes advertising and analytics features. The Russian cybersecurity vendor said it also observed the malware, dubbed Android.Spy.1292.origin, being distributed in the form of an APK file via a fake Telegram channel. While the threat actors initially provided a link for downloading the app in one of the Russian app catalogs through the Telegram channel, the trojanized version was later distributed directly as an A...

A new Android malware-as-a-service (MaaS) platform named SuperCard X can facilitate near-field communication ( NFC ) relay attacks, enabling cybercriminals to conduct fraudulent cashouts. The active campaign is targeting customers of banking institutions and card issuers in Italy with an aim to compromise payment card data, fraud prevention firm Cleafy said in an analysis. There is evidence to suggest that the service is promoted on Telegram channels. SuperCard X "employs a multi-stage approach combining social engineering (via smishing and phone calls), malicious application installation, and NFC data interception for highly effective fraud," security researchers Federico Valentini‍, Alessandro Strino, and Michele Roviello said . The new Android malware, the work of a Chinese-speaking threat actor, has been observed being propagated via three different bogus apps, duping victims into installing them via social engineering techniques like deceptive SMS or WhatsApp mess...

Cybersecurity researchers have found that threat actors are setting up deceptive websites hosted on newly registered domains to deliver a known Android malware called SpyNote . These bogus websites masquerade as Google Play Store install pages for apps like the Chrome web browser, indicating an attempt to deceive unsuspecting users into installing the malware instead. "The threat actor utilized a mix of English and Chinese-language delivery sites and included Chinese-language comments within the delivery site code and the malware itself," the DomainTools Investigations (DTI) team said in a report shared with The Hacker News. SpyNote (aka SpyMax) is a remote access trojan long known for its ability to harvest sensitive data from compromised Android devices by abusing accessibility services. In May 2024, the malware was propagated via another bogus site impersonating a legitimate antivirus solution known as Avast. Subsequent analysis by mobile security firm Zimperium h...

A novice cybercrime actor has been observed leveraging the services of a Russian bulletproof hosting ( BPH ) provider called Proton66 to facilitate their operations. The findings come from DomainTools, which detected the activity after it discovered a phony website named cybersecureprotect[.]com hosted on Proton66 that masqueraded as an antivirus service. The threat intelligence firm said it identified an operational security (OPSEC) failure in the domain that left its malicious infrastructure exposed, thereby revealing the malicious payloads staged on the server.  "This revelation led us down a rabbit hole into the operations of an emerging threat actor known as Coquettte – an amateur cybercriminal leveraging Proton66's bulletproof hosting to distribute malware and engage in other illicit activities," it said in a report shared with The Hacker News. Proton66, also linked to another BPH service known as PROSPERO, has been attributed to several campaigns distribut...

Counterfeit versions of popular smartphone models that are sold at reduced prices have been found to be preloaded with a modified version of an Android malware called Triada . "More than 2,600 users in different countries have encountered the new version of Triada, the majority in Russia," Kaspersky said in a report. The infections were recorded between March 13 and 27, 2025.  Triada is the name given to a modular Android malware family that was first discovered by the Russian cybersecurity company in March 2016. A remote access trojan (RAT), it's equipped to steal a wide range of sensitive information, as well as enlist infected devices into a botnet for other malicious activities. While the malware was previously observed being distributed via intermediate apps published on the Google Play Store (and elsewhere) that gained root access to the compromised phones, subsequent campaigns have leveraged WhatsApp mods like FMWhatsApp and YoWhatsApp as a propagation vec...

A new sophisticated phishing-as-a-service (PhaaS) platform called Lucid has targeted 169 entities in 88 countries using smishing messages propagated via Apple iMessage and Rich Communication Services (RCS) for Android. Lucid's unique selling point lies in its weaponizing of legitimate communication platforms to sidestep traditional SMS-based detection mechanisms. "Its scalable, subscription-based model enables cybercriminals to conduct large-scale phishing campaigns to harvest credit card details for financial fraud," Swiss cybersecurity company PRODAFT said in a technical report shared with The Hacker News. "Lucid leverages Apple iMessage and Android's RCS technology, bypassing traditional SMS spam filters and significantly increasing delivery and success rates." Lucid is assessed to be the work of a Chinese-speaking hacking crew called the XinXin group (aka Black Technology), with the phishing campaigns mainly targeting Europe, the United Kingdom, an...

Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that's primarily designed to target users in Spain and Turkey. "Crocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging," ThreatFabric said . As with other banking trojans of its kind, the malware is designed to facilitate device takeover ( DTO ) and ultimately conduct fraudulent transactions. An analysis of the source code and the debug messages reveals that the malware author is Turkish-speaking. The Crocodilus artifacts analyzed by the Dutch mobile security company masquerade as Google Chrome (package name: "quizzical.washbowl.calamity"), which act as a dropper capable of  bypassing Android 13+ restrictions .  Once installed and launched, the app requests permission to Android's access...

An Android malware family previously observed targeting Indian military personnel has been linked to a new campaign likely aimed at users in Taiwan under the guise of chat apps. "PJobRAT can steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices," Sophos security researcher Pankaj Kohli said in a Thursday analysis. PJobRAT, first documented in 2021, has a track record of being used against Indian military-related targets. Subsequent iterations of the malware have been discovered masquerading as dating and instant messaging apps to deceive prospective victims. It's known to be active since at least late 2019. In November 2021, Meta attributed a Pakistan-aligned threat actor dubbed SideCopy – believed to be a sub-cluster within Transparent Tribe – to the use of PJobRAT and Mayhem as part of highly-targeted attacks directed against people in Afghanistan, specifically those with ties to government, mil...

An advanced persistent threat (APT) group with ties to Pakistan has been attributed to the creation of a fake website masquerading as India's public sector postal system as part of a campaign designed to infect both Windows and Android users in the country. Cybersecurity company CYFIRMA has attributed the campaign with medium confidence to a threat actor called APT36 , which is also known as Transparent Tribe.  The fraudulent website mimicking India Post is named "postindia[.]site." Users who land on the site from Windows systems are prompted to download a PDF document, whereas those visiting from an Android device are served a malicious application package ("indiapost.apk") file. "When accessed from a desktop, the site delivers a malicious PDF file containing ' ClickFix ' tactics," CYFIRMA said . "The document instructs users to press the Win + R keys, paste a provided PowerShell command into the Run dialog, and execute it – potentia...