mobile security | Breaking Cybersecurity News | The Hacker News

The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of spyware developed by Israeli company Paragon Solutions, according to a new report from The Citizen Lab. Paragon, founded in 2019 by Ehud Barak and Ehud Schneorson, is the maker of a surveillance tool called Graphite that's capable of harvesting sensitive data from instant messaging applications on a device. The interdisciplinary lab said it identified the six governments as "suspected Paragon deployments" after mapping the server infrastructure suspected to be associated with the spyware. The development comes nearly two months after Meta-owned WhatsApp said it notified around 90 journalists and civil society members that it said were targeted by Graphite. The attacks were disrupted in December 2024. Targets of these attacks included individuals spread across over two dozen countries, including several in Europe such as Belgium, Greece, Latvia, Lithuania, Austria,...

Cybersecurity researchers have warned about a large-scale ad fraud campaign that has leveraged hundreds of malicious apps published on the Google Play Store to serve full-screen ads and conduct phishing attacks. "The apps display out-of-context ads and even try to persuade victims to give away credentials and credit card information in phishing attacks," Bitdefender said in a report shared with The Hacker News. Details of the activity were first disclosed by Integral Ad Science (IAS) earlier this month, documenting the discovery of over 180 apps that were engineered to deploy endless and intrusive full-screen interstitial video ads. The ad fraud scheme was codenamed Vapor. These apps, which have since been taken down by Google, masqueraded as legitimate apps and collectively amassed more than 56 million downloads between them, generating over 200 million bid requests daily. "Fraudsters behind the Vapor operation have created multiple developer accounts, each host...

Most microsegmentation projects fail before they even get off the ground—too complex, too slow, too disruptive. But Andelyn Biosciences proved it doesn't have to be that way.  Microsegmentation: The Missing Piece in Zero Trust Security   Security teams today are under constant pressure to defend against increasingly sophisticated cyber threats. Perimeter-based defenses alone can no longer provide sufficient protection as attackers shift their focus to lateral movement within enterprise networks. With over 70% of successful breaches involving attackers moving laterally, organizations are rethinking how they secure internal traffic.  Microsegmentation has emerged as a key strategy in achieving Zero Trust security by restricting access to critical assets based on identity rather than network location. However, traditional microsegmentation approaches—often involving VLAN reconfigurations, agent deployments, or complex firewall rules—tend to be slow, operationally disrupt...

The GSM Association (GSMA) has formally announced support for end-to-end encryption (E2EE) for securing messages sent via the Rich Communications Services (RCS) protocol, bringing much-needed security protections to cross-platform messages shared between Android and iOS platforms. To that end, the new GSMA specifications for RCS include E2EE based on the Messaging Layer Security (MLS) protocol via what's called the RCS Universal Profile 3.0 . "The new specifications define how to apply MLS within the context of RCS," Tom Van Pelt, technical director of GSMA, said . "These procedures ensure that messages and other content such as files remain confidential and secure as they travel between clients." This also means that RCS will be the first "large-scale messaging service" to have support for interoperable E2EE between different client implementations from different providers in the near future. It's worth noting that Google's own implemen...

Google has announced the rollout of artificial intelligence (AI)-powered scam detection features to secure Android device users and their personal information. "These features specifically target conversational scams, which can often appear initially harmless before evolving into harmful situations," Google said . "And more phone calling scammers are using spoofing techniques to hide their real numbers and pretend to be trusted companies." The company said it has partnered with financial institutions to better understand the nature of scams customers are encountering, thereby allowing it to devise AI models that can flag suspicious patterns and deliver real-time warnings over the course of a conversation without sacrificing user privacy. These models run completely on-device , alerting users in the event of a likely scam. Users then have an option to either dismiss or report and block the sender. The setting is enabled by default and applies only to conversatio...

Google has released its monthly Android Security Bulletin for March 2025 to address a total of 44 vulnerabilities, including two that it said have come under active exploitation in the wild. The two high-severity vulnerabilities are listed below - CVE-2024-43093 - A privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories. CVE-2024-50302 - A privilege escalation flaw in the HID USB component of the Linux kernel that could lead to a leak of uninitialized kernel memory to a local attacker through specially crafted HID reports. It's worth noting that CVE-2024-43093 was previously flagged by Google in its security advisory for November 2024 as actively exploited in the wild. It's not clear what prompted the tech giant to issue the alert a second time. When reached for comment, Google told The Hacker...

Brazil, South Africa, Indonesia, Argentina, and Thailand have become the targets of a campaign that has infected Android TV devices with a botnet malware dubbed Vo1d . The improved variant of Vo1d has been found to encompass 800,000 daily active IP addresses, with the botnet scaling a peak of 1,590,299 on January 19, 2025, spanning 226 countries and regions. As of February 25, 2025, India has experienced a notable surge in infection rate, increasing from less than 1% (3,901) to 18.17% (217,771).  "Vo1d has evolved to enhance its stealth, resilience, and anti-detection capabilities," QiAnXin XLab said . "RSA encryption secures network communication, preventing [command-and-control] takeover even if [the Domain Generation Algorithm] domains are registered by researchers. Each payload uses a unique Downloader, with XXTEA encryption and RSA-protected keys, making analysis harder." The malware was first documented by Doctor Web in September 2024 as affecting Androi...

A 23-year-old Serbian youth activist had their Android phone targeted by a zero-day exploit developed by Cellebrite to unlock the device, according to a new report from Amnesty International. "The Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite," the international non-governmental organization said , adding traces of the exploit were discovered in a separate case in mid-2024. The vulnerability in question is CVE-2024-53104 (CVSS score: 7.8), a case of privilege escalation in a kernel component known as the USB Video Class (UVC) driver. A patch for the flaw was released for the Linux kernel in December 2024. It was subsequently addressed in Android earlier this month. It's believed that CVE-2024-53104 was combined with two other flaws – CVE-2024-53197 and CVE-2024-50302 – both of which have been resolved in the Linux kernel. They are yet to be included i...

Cybersecurity researchers have discovered an updated version of an Android malware called TgToxic (aka ToxicPanda), indicating that the threat actors behind it are continuously making changes in response to public reporting. "The modifications seen in the TgToxic payloads reflect the actors' ongoing surveillance of open source intelligence and demonstrate their commitment to enhancing the malware's capabilities to improve security measures and keep researchers at bay," Intel 471 said in a report published this week. TgToxic was first documented by Trend Micro in early 2023, describing it as a banking trojan capable of stealing credentials and funds from crypto wallets as well as bank and finance apps. It has been detected in the wild since at least July 2022, mainly focusing on mobile users in Taiwan, Thailand, and Indonesia. Then in November 2024, Italian online fraud prevention firm Cleafy detailed an updated variant with wide-ranging data-gathering featur...

Cybersecurity researchers have flagged an updated version of the LightSpy implant that comes equipped with an expanded set of data collection features to extract information from social media platforms like Facebook and Instagram. LightSpy is the name given to a modular spyware that's capable of infecting both Windows and Apple systems with an aim to harvest data. It was first documented in 2020, targeting users in Hong Kong. This includes Wi-Fi network information, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, call history, and SMS messages, and data from various apps like Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp. Late last year, ThreatFabric detailed an updated version of the malware that incorporates destructive capabilities to prevent the compromised device from booting up, alongside expanding the number of supported plugins from 12 to 28. Previous findings have also uncovered potential overlaps ...

Multiple Russia-aligned threat actors have been observed targeting individuals of interest via the privacy-focused messaging app Signal to gain unauthorized access to their accounts. "The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app's legitimate 'linked devices' feature that enables Signal to be used on multiple devices concurrently," the Google Threat Intelligence Group (GTIG) said in a report. In the attacks spotted by the tech giant's threat intelligence teams, the threat actors, including one it's tracking as UNC5792, have resorted to malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance. As a result, future messages get delivered synchronously to both the victim and the threat actor in real-time, thereby granting threat actors a persistent way to eavesdrop on the victim's conversations. Google said UAC-...

Google is working on a new security feature for Android that blocks device owners from changing sensitive settings when a phone call is in progress. Specifically, the in-call anti-scammer protections include preventing users from turning on settings to install apps from unknown sources and granting accessibility access. The development was first reported by Android Authority. Users who attempt to do so during phone calls are served the message: "Scammers often request this type of action during phone call conversations, so it's blocked to protect you. If you are being guided to take this action by someone you don't know, it might be a scam." Furthermore, it blocks users from giving an app access to accessibility services over the course of a phone call. The feature is currently live in Android 16 Beta 2, which was released earlier this week. With this latest addition, the idea is to introduce more friction to a tactic that has been commonly abused by maliciou...

Apple on Monday released out-of-band security updates to address a security flaw in iOS and iPadOS that it said has been exploited in the wild. Assigned the CVE identifier CVE-2025-24200 (CVSS score: 4.6), the vulnerability has been described as an authorization issue that could make it possible for a malicious actor to disable USB Restricted Mode on a locked device as part of a cyber physical attack. This suggests that the attackers require physical access to the device in order to exploit the flaw. Introduced in iOS 11.4.1, USB Restricted Mode prevents an Apple iOS and iPadOS device from communicating with a connected accessory if it has not been unlocked and connected to an accessory within the past hour. The feature is seen as an attempt to prevent digital forensics tools like Cellebrite or GrayKey , which are mainly used by law enforcement agencies, from gaining unauthorized entry to a confiscated device and extracting sensitive data. In line with advisories of this k...

A new audit of DeepSeek's mobile app for the Apple iOS operating system has found glaring security issues, the foremost being that it sends sensitive data over the internet sans any encryption, exposing it to interception and manipulation attacks. The assessment comes from NowSecure, which also found that the app fails to adhere to best security practices and that it collects extensive user and device data. "The DeepSeek iOS app sends some mobile app registration and device data over the Internet without encryption," the company said . "This exposes any data in the internet traffic to both passive and active attacks." The teardown also revealed several implementation weaknesses when it comes to applying encryption on user data. This includes the use of an insecure symmetric encryption algorithm ( 3DES ), a hard-coded encryption key, and the reuse of initialization vectors . What's more, the data is sent to servers that are managed by a cloud compute a...

A new malware campaign dubbed SparkCat has leveraged a suit of bogus apps on both Apple's and Google's respective app stores to steal victims' mnemonic phrases associated with cryptocurrency wallets.  The attacks leverage an optical character recognition (OCR) model to exfiltrate select images containing wallet recovery phrases from photo libraries to a command-and-control (C2) server, Kaspersky researchers Dmitry Kalinin and Sergey Puzan said in a technical report. The moniker is a reference to an embedded software development kit (SDK) that employs a Java component called Spark that masquerades as an analytics module. It's currently not known whether the infection was a result of a supply chain attack or if it was intentionally introduced by the developers. While this is not the first time Android malware with OCR capabilities has been detected in the wild, it's one of the first instances where such a stealer has been found in Apple's App Store. The inf...

Google has shipped patches to address 47 security flaws in its Android operating system, including one it said has come under active exploitation in the wild. The vulnerability in question is CVE-2024-53104 (CVSS score: 7.8), which has been described as a case of privilege escalation in a kernel component known as the USB Video Class ( UVC ) driver. Successful exploitation of the flaw could lead to physical escalation of privilege, Google said, noting that it's aware that it may be under "limited, targeted exploitation." While no other technical details have been offered, Linux kernel developer Greg Kroah-Hartman revealed in early December 2024 that the vulnerability is rooted in the Linux kernel and that it was introduced in version 2.6.26 , which was released in mid-2008. Specifically, it has to do with an out-of-bounds write condition that could arise as a result of parsing frames of type UVC_VS_UNDEFINED in a function named "uvc_parse_format()" i...

Cybersecurity researchers have discovered a malvertising campaign that's targeting Microsoft advertisers with bogus Google ads that aim to take them to phishing pages that are capable of harvesting their credentials. "These malicious ads, appearing on Google Search, are designed to steal the login information of users trying to access Microsoft's advertising platform," Jérôme Segura, senior director of research at Malwarebytes, said in a Thursday report. The findings came a few weeks after the cybersecurity company exposed a similar campaign that leveraged sponsored Google Ads to target individuals and businesses advertising via the search giant's advertising platform. The latest set of attacks targets users who search for terms like "Microsoft Ads" on Google Search, hoping to trick them into clicking on malicious links served in the form of sponsored ads in the search results pages. At the same time, the threat actors behind the campaign employ s...

Google said it blocked over 2.36 million policy-violating Android apps from being published to the Google Play app marketplace in 2024 and banned more than 158,000 bad developer accounts that attempted to publish such harmful apps. The tech giant also noted it prevented 1.3 million apps from getting excessive or unnecessary access to sensitive user data during the time period by working with third-party app developers. Furthermore, Google Play Protect, a security feature that's enabled by default on Android devices to flag novel threats, identified 13 million new malicious apps from outside of the official app store. "As a result of partnering closely with developers, over 91% of app installs on the Google Play Store now use the latest protections of Android 13 or newer," Bethel Otuteye and Khawaja Shams from the Android Security and Privacy Team, and Ron Aquino from Google Play Trust and Safety said . In comparison, the company blocked 1.43 million and 2.28 millio...