mobile security | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have revealed that Russian military personnel are the target of a new malicious campaign that distributes Android spyware under the guise of the Alpine Quest mapping software. "The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs," Doctor Web said in an analysis. The trojan has been found embedded in older versions of the software and propagated as a freely available variant of Alpine Quest Pro , a paid offering that removes advertising and analytics features. The Russian cybersecurity vendor said it also observed the malware, dubbed Android.Spy.1292.origin, being distributed in the form of an APK file via a fake Telegram channel. While the threat actors initially provided a link for downloading the app in one of the Russian app catalogs through the Telegram channel, the trojanized version was later distributed directly as an A...

A new Android malware-as-a-service (MaaS) platform named SuperCard X can facilitate near-field communication ( NFC ) relay attacks, enabling cybercriminals to conduct fraudulent cashouts. The active campaign is targeting customers of banking institutions and card issuers in Italy with an aim to compromise payment card data, fraud prevention firm Cleafy said in an analysis. There is evidence to suggest that the service is promoted on Telegram channels. SuperCard X "employs a multi-stage approach combining social engineering (via smishing and phone calls), malicious application installation, and NFC data interception for highly effective fraud," security researchers Federico Valentini‍, Alessandro Strino, and Michele Roviello said . The new Android malware, the work of a Chinese-speaking threat actor, has been observed being propagated via three different bogus apps, duping victims into installing them via social engineering techniques like deceptive SMS or WhatsApp mess...

The problem is simple: all breaches start with initial access, and initial access comes down to two primary attack vectors – credentials and devices. This is not news; every report you can find on the threat landscape depicts the same picture.  The solution is more complex. For this article, we'll focus on the device threat vector. The risk they pose is significant, which is why device management tools like Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) are essential components of an organization's security infrastructure. However, relying solely on these tools to manage device risk actually creates a false sense of security. Instead of the blunt tools of device management, organizations are looking for solutions that deliver device trust . Device trust provides a comprehensive, risk-based approach to device security enforcement, closing the large gaps left behind by traditional device management solutions. Here are 5 of those limitations and how to ov...

The problem is simple: all breaches start with initial access, and initial access comes down to two primary attack vectors – credentials and devices. This is not news; every report you can find on the threat landscape depicts the same picture.  The solution is more complex. For this article, we'll focus on the device threat vector. The risk they pose is significant, which is why device management tools like Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) are essential components of an organization's security infrastructure. However, relying solely on these tools to manage device risk actually creates a false sense of security. Instead of the blunt tools of device management, organizations are looking for solutions that deliver device trust . Device trust provides a comprehensive, risk-based approach to device security enforcement, closing the large gaps left behind by traditional device management solutions. Here are 5 of those limitations and how to ov...

Can a harmless click really lead to a full-blown cyberattack? Surprisingly, yes — and that's exactly what we saw in last week's activity. Hackers are getting better at hiding inside everyday actions: opening a file, running a project, or logging in like normal. No loud alerts. No obvious red flags. Just quiet entry through small gaps — like a misconfigured pipeline, a trusted browser feature, or reused login tokens. These aren't just tech issues — they're habits being exploited. Let's walk through the biggest updates from the week and what they mean for your security. ⚡ Threat of the Week Recently Patched Windows Flaw Comes Under Active Exploitation — A recently patched security flaw affecting Windows NTLM has been exploited by malicious actors to leak NTLM hashes or user passwords and infiltrate systems since March 19, 2025. The flaw, CVE-2025-24054 (CVSS score: 6.5), is a hash disclosure spoofing bug that was fixed by Microsoft last month as part of its Patch Tuesday updates...

Cybersecurity researchers have disclosed a surge in "mass scanning, credential brute-forcing, and exploitation attempts" originating from IP addresses associated with a Russian bulletproof hosting service provider named Proton66 . The activity, detected since January 8, 2025, targeted organizations worldwide, according to a two-part analysis published by Trustwave SpiderLabs last week.  "Net blocks 45.135.232.0/24 and 45.140.17.0/24 were particularly active in terms of mass scanning and brute-force attempts," security researchers Pawel Knapczyk and Dawid Nesterowicz said . "Several of the offending IP addresses were not previously seen to be involved in malicious activity or were inactive for over two years." The Russian autonomous system Proton66 is assessed to be linked to another autonomous system named PROSPERO. Last year, French security firm Intrinsec detailed their connections to bulletproof services marketed on Russian cybercrime forums under ...

Cybersecurity researchers are warning of a "widespread and ongoing" SMS phishing campaign that's been targeting toll road users in the United States for financial theft since mid-October 2024. "The toll road smishing attacks are being carried out by multiple financially motivated threat actors using the smishing kit developed by 'Wang Duo Yu,'" Cisco Talos researchers Azim Khodjibaev, Chetan Raghuprasad, and Joey Chen assessed with moderate confidence. The phishing campaigns , per the company, impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas about an unpaid toll and clicking on a fake link sent in the chat. It's worth noting some aspects of the toll phishing campaign were previously highlighted by security journalist Brian Krebs in January 2025, with the activity traced back to a China-b...

Apple on Wednesday released security updates for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to address two security flaws that it said have come under active exploitation in the wild. The vulnerabilities in question are listed below - CVE-2025-31200 (CVSS score: 7.5) - A memory corruption vulnerability in the Core Audio framework that could allow code execution when processing an audio stream in a maliciously crafted media file CVE-2025-31201 (CVSS score: 6.8) - A vulnerability in the RPAC component that could be used by an attacker with arbitrary read and write capability to bypass Pointer Authentication The iPhone maker said it addressed CVE-2025-31200 with improved bounds checking and CVE-2025-31201 by removing the vulnerable section of code. Both the vulnerabilities have been credited to Apple, along with Google Threat Analysis Group (TAG) for reporting CVE-2025-31200. Apple, as is typically the case with such advisories, said it's aware that the issues have b...

Cheap Android smartphones manufactured by Chinese companies have been observed pre-installed with trojanized apps masquerading as WhatsApp and Telegram that contain cryptocurrency clipper functionality as part of a campaign since June 2024. While using malware-laced apps to steal financial information is not a new phenomenon, the new findings from Russian antivirus vendor Doctor Web point to significant escalation where threat actors are directly targeting the supply chain of various Chinese manufacturers to preload brand new devices with malicious apps. "Fraudulent applications were detected directly in the software pre-installed on the phone," the company said . "In this case, the malicious code was added to the WhatsApp messenger." A majority of the compromised devices are said to be low-end phones that mimic well-known premium models from Samsung and Huawei with names like S23 Ultra, S24 Ultra, Note 13 Pro, and P70 Ultra. At least four of the affected mod...

Cybersecurity researchers have found that threat actors are setting up deceptive websites hosted on newly registered domains to deliver a known Android malware called SpyNote . These bogus websites masquerade as Google Play Store install pages for apps like the Chrome web browser, indicating an attempt to deceive unsuspecting users into installing the malware instead. "The threat actor utilized a mix of English and Chinese-language delivery sites and included Chinese-language comments within the delivery site code and the malware itself," the DomainTools Investigations (DTI) team said in a report shared with The Hacker News. SpyNote (aka SpyMax) is a remote access trojan long known for its ability to harvest sensitive data from compromised Android devices by abusing accessibility services. In May 2024, the malware was propagated via another bogus site impersonating a legitimate antivirus solution known as Avast. Subsequent analysis by mobile security firm Zimperium h...