#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
State of SaaS

mobile security | Breaking Cybersecurity News | The Hacker News

Category — mobile security
FireScam Android Malware Poses as Telegram Premium to Steal Data and Control Devices

FireScam Android Malware Poses as Telegram Premium to Steal Data and Control Devices

Jan 06, 2025 Malware / Mobile Security
An Android information stealing malware named FireScam has been found masquerading as a premium version of the Telegram messaging app to steal data and maintain persistent remote control over compromised devices. "Disguised as a fake 'Telegram Premium' app, it is distributed through a GitHub.io-hosted phishing site that impersonates RuStore – a popular app store in the Russian Federation," Cyfirma said , describing it as a "sophisticated and multifaceted threat." "The malware employs a multi-stage infection process, starting with a dropper APK, and performs extensive surveillance activities once installed." The phishing site in question, rustore-apk.github[.]io, mimics RuStore, an app store launched by Russian tech giant VK in the country, and is designed to deliver a dropper APK file ("GetAppsRu.apk"). Once installed, the dropper acts as a delivery vehicle for the main payload, which is responsible for exfiltrating sensitive data,...
U.S. Judge Rules Against NSO Group in WhatsApp Pegasus Spyware Case

U.S. Judge Rules Against NSO Group in WhatsApp Pegasus Spyware Case

Dec 23, 2024 Spyware / Mobile Security
Meta Platforms-owned WhatsApp scored a major legal victory in its fight against Israeli commercial spyware vendor NSO Group after a federal judge in the U.S. state of California ruled in favor of the messaging giant for exploiting a security vulnerability to deliver Pegasus. "The limited evidentiary record before the court does show that defendants' Pegasus code was sent through plaintiffs' California-based servers 43 times during the relevant time period in May 2019," United States District Judge Phyllis J. Hamilton said . The order further lambasted NSO Group, stating it "repeatedly failed to produce relevant discovery and failed to obey court orders regarding such discovery," referring to the company's failure to produce the Pegasus source code and for limiting the access to Israeli citizens present in Israel. This information, per WhatsApp, included code only pertaining to an Amazon Web Services (AWS) server, and not the entire codebase that wo...
Product Walkthrough: How Reco Discovers Shadow AI in SaaS

Future-Ready Trust: Learn How to Manage Certificates Like Never Before

WebinarTrust Management / SSL Certificate
Managing digital trust shouldn't feel impossible. Join us to discover how DigiCert ONE transforms certificate management—streamlining trust operations, ensuring compliance, and future-proofing your digital strategy.
CISA Mandates Cloud Security for Federal Agencies by 2025 Under Binding Directive 25-01

CISA Mandates Cloud Security for Federal Agencies by 2025 Under Binding Directive 25-01

Dec 19, 2024 Cloud Security / Encryption
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 25-01, ordering federal civilian agencies to secure their cloud environments and abide by Secure Cloud Business Applications (SCuBA) secure configuration baselines. "Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services," the agency said , adding the directive "will further reduce the attack surface of the federal government networks." As part of 25-01, agencies are also recommended to deploy CISA-developed automated configuration assessment tools to measure against the baselines, integrate with the agency's continuous monitoring infrastructure, and address any deviations from the secure configuration baselines. While the baselines are currently limited to Microsoft 365 (Azure Active Directory / ...
cyber security

2024: A Year of Identity Attacks | Get the New eBook

websitePush SecurityIdentity Security
Prepare to defend against identity attacks in 2025 by looking back at identity-based breaches in 2024.
The Mask APT Resurfaces with Sophisticated Multi-Platform Malware Arsenal

The Mask APT Resurfaces with Sophisticated Multi-Platform Malware Arsenal

Dec 17, 2024 Cyber Espionage / Mobile Security
A little-known cyber espionage actor known as The Mask has been linked to a new set of attacks targeting an unnamed organization in Latin America twice in 2019 and 2022. "The Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least 2007," Kaspersky researchers Georgy Kucherin and Marc Rivero said in an analysis published last week. "Their targets are usually high-profile organizations, such as governments, diplomatic entities, and research institutions." Also known as Careto, the threat actor was previously documented by the Russian cybersecurity company over a decade ago in February 2014 as having targeted over 380 unique victims since 2007. The origins of the hacking group are currently unknown. Initial access to target networks is facilitated by means of spear-phishing emails embedding links to malicious websites that are designed to trigger browser-based zero-day exploits to infect the visitor (e.g., CVE-...
Gamaredon Deploys Android Spyware "BoneSpy" and "PlainGnome" in Former Soviet States

Gamaredon Deploys Android Spyware "BoneSpy" and "PlainGnome" in Former Soviet States

Dec 12, 2024 Mobile Security / Cyber Espionage
The Russia-linked state-sponsored threat actor tracked as Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome , marking the first time the adversary has been discovered using mobile-only malware families in its attack campaigns. "BoneSpy and PlainGnome target former Soviet states and focus on Russian-speaking victims," Lookout said in an analysis. "Both BoneSpy and PlainGnome collect data such as SMS messages, call logs, phone call audio, photos from device cameras, device location, and contact lists." Gamaredon , also called Aqua Blizzard, Armageddon, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder, is a hacking group affiliated with Russia's Federal Security Service (FSB). Last week, Recorded Future's Insikt Group revealed the threat actor's use of Cloudflare Tunnels as a tactic to conceal its staging infrastructure hosting malicious payload...
Chinese EagleMsgSpy Spyware Found Exploiting Mobile Devices Since 2017

Chinese EagleMsgSpy Spyware Found Exploiting Mobile Devices Since 2017

Dec 11, 2024 Surveillanceware / Mobile Security
Cybersecurity researchers have discovered a novel surveillance program that's suspected to be used by Chinese police departments as a lawful intercept tool to gather a wide range of information from mobile devices. The Android tool, codenamed EagleMsgSpy by Lookout, has been operational since at least 2017, with artifacts uploaded to the VirusTotal malware scanning platform as recently as September 25, 2024. "The surveillanceware consists of two parts: an installer APK, and a surveillance client that runs headlessly on the device when installed," Kristina Balaam, senior staff threat intelligence researcher at Lookout, said in a technical report shared with The Hacker News. "EagleMsgSpy collects extensive data from the user: third-party chat messages, screen recording and screenshot capture, audio recordings, call logs, device contacts, SMS messages, location data, [and] network activity." EagleMsgSpy has been described by its developers as a "compreh...
Fake Recruiters Distribute Banking Trojan via Malicious Apps in Phishing Scam

Fake Recruiters Distribute Banking Trojan via Malicious Apps in Phishing Scam

Dec 10, 2024 Mobile Security / Cryptocurrency
Cybersecurity researchers have shed light on a sophisticated mobile phishing (aka mishing ) campaign that's designed to distribute an updated version of the Antidot banking trojan. "The attackers presented themselves as recruiters, luring unsuspecting victims with job offers," Zimperium zLabs Vishnu Pratapagiri researcher said in a new report. "As part of their fraudulent hiring process, the phishing campaign tricks victims into downloading a malicious application that acts as a dropper, eventually installing the updated variant of Antidot Banker in the victim's device." The new version of the Android malware has been codenamed AppLite Banker by the mobile security company, highlighting its abilities to siphon unlock PIN (or pattern or password) and remotely take control of infected devices, a feature recently also observed in TrickMo . The attacks employ a variety of social engineering strategies, often luring targets with the prospect of a job opp...
FSB Uses Trojan App to Monitor Russian Programmer Accused of Supporting Ukraine

FSB Uses Trojan App to Monitor Russian Programmer Accused of Supporting Ukraine

Dec 06, 2024 Spyware / Mobile Security
A Russian programmer accused of donating money to Ukraine had his Android device secretly implanted with spyware by the Federal Security Service (FSB) after he was detained earlier this year. The findings come as part of a collaborative investigation by First Department and the University of Toronto's Citizen Lab . "The spyware placed on his device allows the operator to track a target device's location, record phone calls, keystrokes, and read messages from encrypted messaging apps, among other capabilities," according to the report. In May 2024, Kirill Parubets was released from custody after a 15-day period in administrative detention by Russian authorities, during which time his phone, an Oukitel WP7 phone running Android 10, was confiscated from him. During this period, not only was he beaten to compel him into revealing his device password, he was also subjected to an "intense effort" to recruit him as an informant for the FSB, or else risk fac...
Hackers Target Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus Backdoor

Hackers Target Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus Backdoor

Dec 05, 2024 Mobile Security / Windows Security
A previously undocumented threat activity cluster dubbed Earth Minotaur is leveraging the MOONSHINE exploit kit and an unreported Android-cum-Windows backdoor called DarkNimbus to facilitate long-term surveillance operations targeting Tibetans and Uyghurs. "Earth Minotaur uses MOONSHINE to deliver the DarkNimbus backdoor to Android and Windows devices, targeting WeChat, and possibly making it a cross-platform threat," Trend Micro researchers Joseph C Chen and Daniel Lunghi said in an analysis published today. "MOONSHINE exploits multiple known vulnerabilities in Chromium-based browsers and applications, requiring users to update software regularly to prevent attacks." Countries affected by Earth Minotaur's attacks span Australia, Belgium, Canada, France, Germany, India, Italy, Japan, Nepal, the Netherlands, Norway, Russia, Spain, Switzerland, Taiwan, Turkey, and the U.S. MOONSHINE first came to light in September 2019 as part of cyber attacks targeting t...
8 Million Android Users Hit by SpyLoan Malware in Loan Apps on Google Play

8 Million Android Users Hit by SpyLoan Malware in Loan Apps on Google Play

Dec 02, 2024 Mobile Security / Financial Fraud
Over a dozen malicious Android apps identified on the Google Play Store that have been collectively downloaded over 8 million times contain malware known as SpyLoan, according to new findings from McAfee Labs. "These PUP (potentially unwanted programs) applications use social engineering tactics to trick users into providing sensitive information and granting extra mobile app permissions, which can lead to extortion, harassment, and financial loss," security researcher Fernando Ruiz said in an analysis published last week. The newly discovered apps purport to offer quick loans with minimal requirements to attract unsuspecting users in Mexico, Colombia, Senegal, Thailand, Indonesia, Vietnam, Tanzania, Peru, and Chile. The 15 predatory loan apps are listed below. Five of these apps that are still available for download from the official app store are said to have made changes to comply with Google Play policies. Préstamo Seguro-Rápido, seguro (com.prestamoseguro.ss ) P...
Google's New Restore Credentials Tool Simplifies App Login After Android Migration

Google's New Restore Credentials Tool Simplifies App Login After Android Migration

Nov 25, 2024 Mobile Security / Privacy
Google has introduced a new feature called Restore Credentials to help users restore their account access to third-party apps securely after migrating to a new Android device. Part of Android's Credential Manager API , the feature aims to reduce the hassle of re-entering the login credentials for every app during the handset replacement. "With Restore Credentials, apps can seamlessly onboard users to their accounts on a new device after they restore their apps and data from their previous device," Google's Neelansh Sahai said . The tech giant said the process occurs automatically in the background when a user restores apps and data from a previous device, enabling apps to sign users back into the respective accounts without requiring any additional interaction. This is accomplished by means of what's called a restore key, which, in reality, is a public key that's compatible with FIDO2 standards such as passkeys. Thus when a user signs in to an app that...
Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities

Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities

Nov 20, 2024 Zero Day / Vulnerability
Apple has released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have come under active exploitation in the wild. The flaws are listed below - CVE-2024-44308 (CVSS score: 8.8)  - A vulnerability in JavaScriptCore that could lead to arbitrary code execution when processing malicious web content CVE-2024-44309 (CVSS score: 6.1)  - A cookie management vulnerability in WebKit that could lead to a cross-site scripting (XSS) attack when processing malicious web content The iPhone maker said it addressed CVE-2024-44308 and CVE-2024-44309 with improved checks and improved state management, respectively.  Not much is known about the exact nature of the exploitation, but Apple has acknowledged that the pair of vulnerabilities "may have been actively exploited on Intel-based Mac systems." Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group (TAG) have been credited with discovering and report...
NSO Group Exploited WhatsApp to Install Pegasus Spyware Even After Meta's Lawsuit

NSO Group Exploited WhatsApp to Install Pegasus Spyware Even After Meta's Lawsuit

Nov 18, 2024 Mobile Security / Spyware
Legal documents released as part of an ongoing legal tussle between Meta's WhatsApp and NSO Group have revealed that the Israeli spyware vendor used multiple exploits targeting the messaging app to deliver Pegasus, including one even after it was sued by Meta for doing so. They also show that NSO Group repeatedly found ways to install the invasive surveillance tool on the target's devices as WhatsApp erected new defenses to counter the threat. In May 2019, WhatsApp said it blocked a sophisticated cyber attack that exploited its video calling system to deliver Pegasus malware surreptitiously. The attack leveraged a then zero-day flaw tracked as CVE-2019-3568 (CVSS score: 9.8), a critical buffer overflow bug in the voice call functionality. The documents now show that NSO Group "developed yet another installation vector (known as Erised) that also used WhatsApp servers to install Pegasus." The attack vector – a zero-click exploit that could compromise a victim...
New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers

New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers

Nov 05, 2024 Mobile Security / Cyber Attack
Over 1,500 Android devices have been infected by a new strain of Android banking malware called ToxicPanda that allows threat actors to conduct fraudulent banking transactions. "ToxicPanda's main goal is to initiate money transfers from compromised devices via account takeover (ATO) using a well-known technique called on-device fraud ( ODF )," Cleafy researchers Michele Roviello, Alessandro Strino, and Federico Valentini said in a Monday analysis. "It aims to bypass bank countermeasures used to enforce users' identity verification and authentication, combined with behavioral detection techniques applied by banks to identify suspicious money transfers." ToxicPanda is believed to be the work of a Chinese-speaking threat actor, with the malware sharing foundational similarities with another Android malware dubbed TgToxic , which can steal credentials and funds from crypto wallets. TgToxic was documented by Trend Micro in early 2023. A majority of the com...
Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System

Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System

Nov 05, 2024 Mobile Security / Vulnerability
Google has warned that a security flaw impacting its Android operating system has come under active exploitation in the wild. The vulnerability, tracked as CVE-2024-43093, has been described as a privilege escalation flaw in the Android Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories, according to a code commit message . There are currently no details about how the vulnerability is being weaponized in real-world attacks, but Google acknowledged in its monthly bulletin that there are indications it "may be under limited, targeted exploitation." The tech giant has also flagged CVE-2024-43047, a now-patched security bug in Qualcomm chipsets, as having been actively exploited. A use-after-free vulnerability in the Digital Signal Processor (DSP) Service, a successful exploitation of the security flaw could lead to memory corrupti...
Expert Insights / Articles Videos
Cybersecurity Resources