mobile security | Breaking Cybersecurity News | The Hacker News

A new Android backdoor that's embedded deep into the device firmware can silently harvest data and remotely control its behavior, according to new findings from Kaspersky. The Russian cybersecurity vendor said it discovered the backdoor, dubbed Keenadu , in the firmware of devices associated with various brands, including Alldocube, with the compromise occurring during the firmware build phase. Keenadu has been detected in Alldocube iPlay 50 mini Pro firmware dating back to August 18, 2023. In all cases, the backdoor is embedded within tablet firmware, and the firmware files carry valid digital signatures. The names of the other vendors were not disclosed. "In several instances, the compromised firmware was delivered with an OTA update," security researcher Dmitry Kalinin said in an exhaustive analysis published today. "A copy of the backdoor is loaded into the address space of every app upon launch. The malware is a multi-stage loader granting its operators the ...

Apple on Monday released a new developer beta of iOS and iPadOS with support for end-to-end encryption (E2EE) in Rich Communications Services ( RCS ) messages. The feature is currently available for testing in iOS and iPadOS 26.4 Beta, and is expected to be shipped to customers in a future update for iOS, iPadOS, macOS, and watchOS. "End-to-end encryption is in beta and is not available for all devices or carriers," Apple said in its release notes. "Conversations labeled as encrypted are encrypted end-to-end, so messages can't be read while they're sent between devices." The iPhone maker also pointed out that the availability of RCS encryption is limited to conversations between Apple devices, and not other platforms like Android. The secure messaging test arrives nearly a year after the GSM Association (GSMA) formally announced support for E2EE for safeguarding messages sent via the RCS protocol. E2EE for RCS‌ will require Apple to update to ‌RCS‌ Un...

Cybersecurity researchers have disclosed details of a new mobile spyware platform dubbed ZeroDayRAT that's being advertised on Telegram as a way to grab sensitive data and facilitate real-time surveillance on Android and iOS devices. "The developer runs dedicated channels for sales, customer support, and regular updates, giving buyers a single point of access to a fully operational spyware panel," Daniel Kelley, security researcher at iVerify, said . "The platform goes beyond typical data collection into real-time surveillance and direct financial theft." ZeroDayRAT is designed to support Android versions 5 through 16 and iOS versions up to 26. It's assessed that the malware is distributed via social engineering or fake app marketplaces. The malicious binaries are generated through a builder that's provided to buyers along with an online panel that they can set up on their own server. Once the malware infects a device, the operator gets to see all ...

Several state-sponsored actors, hacktivist entities, and criminal groups from China, Iran, North Korea, and Russia have trained their sights on the defense industrial base (DIB) sector, according to findings from Google Threat Intelligence Group (GTIG). The tech giant's threat intelligence division said the adversarial targeting of the sector is centered around four key themes: striking defense entities deploying technologies on the battlefield in the Russia-Ukraine War, directly approaching employees and exploitation of the hiring process by North Korean and Iranian actors, use of edge devices and appliances as initial access pathways for China-nexus groups, and supply chain risk stemming from the breach of the manufacturing sector. "Many of the chief state-sponsors of cyber espionage and hacktivist actors have shown an interest in autonomous vehicles and drones, as these platforms play an increasing role in modern warfare," GTIG said . "Further, the 'evasion...

The Netherlands' Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed both agencies (Rvdr) have disclosed that their systems were impacted by cyber attacks that exploited the recently disclosed security flaws in Ivanti Endpoint Manager Mobile (EPMM), according to a notice sent to the country's parliament on Friday. "On January 29, the National Cyber Security Center (NCSC) was informed by the supplier of vulnerabilities in EPMM," the Dutch authorities said . "EPMM is used to manage mobile devices, apps, and content, including their security." "It is now known that work-related data of AP employees, such as names, business email addresses, and telephone numbers, have been accessed by unauthorized persons." The development comes as the European Commission also revealed that its central infrastructure managing mobile devices "identified traces" of a cyber attack that may have resulted in access to names and mo...

As you know, enterprise network security has undergone significant evolution over the past decade. Firewalls have become more intelligent, threat detection methods have advanced, and access controls are now more detailed. However (and it’s a big “however”), the increasing use of mobile devices in business operations necessitates network security measures that are specifically tailored to their unique operating patterns. Yes, enterprises have invested heavily in robust network security such as firewalls, intrusion detection, and threat intelligence platforms. And yes, these controls work exceptionally well for traditional endpoints—but mobile devices operate differently! They connect to corporate Wi-Fi and public networks interchangeably. They run dozens of apps with varying trust levels. They process sensitive data in coffee shops, airports, and home offices. The challenge isn't that organizations lack security—it's that mobile devices need security controls that adapt to t...

Meta on Tuesday announced it's adding Strict Account Settings on WhatsApp to secure certain users against advanced cyber attacks because of who they are and what they do. The feature, similar to Lockdown Mode in Apple iOS and Advanced Protection in Android, aims to protect individuals, such as journalists or public-facing figures, from sophisticated spyware by trading some functionality for enhanced security. Once this security mode is enabled, some of the account settings will be locked to the most restrictive options, while simultaneously blocking attachments and media from people not in a user's contacts. "This lockdown-style feature bolsters your security on WhatsApp even further with just a few taps by locking your account to the most restrictive settings like automatically blocking attachments and media from unknown senders, silencing calls from people you don’t know, and restricting other settings that may limit how the app works," Meta said . The f...

In cybersecurity, the line between a normal update and a serious incident keeps getting thinner. Systems that once felt reliable are now under pressure from constant change. New AI tools, connected devices, and automated systems quietly create more ways in, often faster than security teams can react. This week’s stories show how easily a small mistake or hidden service can turn into a real break-in. Behind the headlines, the pattern is clear. Automation is being used against the people who built it. Attackers reuse existing systems instead of building new ones. They move faster than most organizations can patch or respond. From quiet code flaws to malware that changes while it runs, attacks are focusing less on speed and more on staying hidden and in control. If you’re protecting anything connected—developer tools, cloud systems, or internal networks—this edition shows where attacks are going next, not where they used to be. ⚡ Threat of the Week Critical Fortinet Flaw Comes Under...

This week made one thing clear: small oversights can spiral fast. Tools meant to save time and reduce friction turned into easy entry points once basic safeguards were ignored. Attackers didn’t need novel tricks. They used what was already exposed and moved in without resistance. Scale amplified the damage. A single weak configuration rippled out to millions. A repeatable flaw worked again and again. Phishing crept into apps people rely on daily, while malware blended into routine system behavior. Different victims, same playbook: look normal, move quickly, spread before alarms go off. For defenders, the pressure keeps rising. Vulnerabilities are exploited almost as soon as they surface. Claims and counterclaims appear before the facts settle. Criminal groups adapt faster each cycle. The stories that follow show where things failed—and why those failures matter going forward. ⚡ Threat of the Week Maximum Severity Security Flaw Disclosed in n8n — A maximum-severity vulnerability ...

The U.S. Federal Bureau of Investigation (FBI) on Thursday released an advisory warning of North Korean state-sponsored threat actors leveraging malicious QR codes in spear-phishing campaigns targeting entities in the country. "As of 2025, Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spear-phishing campaigns," the FBI said in the flash alert. "This type of spear-phishing attack is referred to as quishing." The use of QR codes for phishing is a tactic that forces victims to shift from a machine that's secured by enterprise policies to a mobile device that may not offer the same level of protection, effectively allowing threat actors to bypass traditional defenses. Kimsuky, also tracked as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima, is a threat group that's assessed to be affiliated with North Korea's...

The botnet known as Kimwolf has infected more than 2 million Android devices by tunneling through residential proxy networks, according to findings from Synthient. "Key actors involved in the Kimwolf botnet are observed monetizing the botnet through app installs, selling residential proxy bandwidth, and selling its DDoS functionality," the company said in an analysis published last week. Kimwolf was first publicly documented by QiAnXin XLab last month, while documenting its connections to another botnet known as AISURU. Active since at least August 2025, Kimwolf is assessed to be an Android variant of AISURU. There is growing evidence to suggest that the botnet is actually behind a series of record-setting DDoS attacks late last year. The malware turns infected systems into conduits for relaying malicious traffic and orchestrating distributed denial-of-service (DDoS) attacks at scale. The vast majority of the infections are concentrated in Vietnam, Brazil, India, and ...

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) on Tuesday removed three individuals linked to the Intellexa Consortium, the holding company behind a commercial spyware known as Predator , from the specially designated nationals list. The names of the individuals are as follows - Merom Harpaz Andrea Nicola Constantino Hermes Gambazzi Sara Aleksandra Fayssal Hamou Hamou was sanctioned by OFAC in March 2024, and Harpaz and Gambazzi were targeted in September 2024 in connection with developing, operating, and distributing Predator. The Treasury's press release does not give any reason as to why they were removed from the list. However, in a statement shared with Reuters, it said the removal "was done as part of the normal administrative process in response to a petition request for reconsideration." The department added that the individuals had "demonstrated measures to separate themselves from the Intellexa Consortium....

Threat actors have been observed leveraging malicious dropper apps masquerading as legitimate applications to deliver an Android SMS stealer dubbed Wonderland in mobile attacks targeting users in Uzbekistan. "Previously, users received 'pure' Trojan APKs that acted as malware immediately upon installation," Group-IB said in an analysis published last week. "Now, adversaries increasingly deploy droppers disguised as legitimate applications. The dropper looks harmless on the surface but contains a built-in malicious payload, which is deployed locally after installation – even without an active internet connection." Wonderland (formerly WretchedCat), according to the Singapore-headquartered cybersecurity company, facilitates bidirectional command-and-control (C2) communication to execute commands in real-time, allowing for arbitrary USSD requests and SMS theft. It masquerades as Google Play, or files of other formats, such as videos, photos, and wedding in...

The North Korean threat actor known as Kimsuky has been linked to a new campaign that distributes a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics (formerly CJ Korea Express). "The threat actor leveraged QR codes and notification pop-ups to lure victims into installing and executing the malware on their mobile devices," ENKI said . "The malicious app decrypts an embedded encrypted APK and launches a malicious service that provides RAT capabilities." "Since Android blocks apps from unknown sources and displays security warnings by default, the threat actor claims the app is a safe, official release to trick victims into ignoring the warning and installing the malware." According to the South Korean cybersecurity company, some of these artifacts masquerade as package delivery service apps. It's being assessed that the threat actors are using smishing texts or phi...

Cybersecurity researchers have disclosed details of two new Android malware families dubbed FvncBot and SeedSnatcher , as another upgraded version of ClayRat has been spotted in the wild. The findings come from Intel 471 , CYFIRMA , and Zimperium , respectively. FvncBot, which masquerades as a security app developed by mBank, targets mobile banking users in Poland. What's notable about the malware is that it's completely written from scratch and is not inspired by other Android banking trojans like ERMAC that have had their source code leaked. The malware "implemented multiple features including keylogging by abusing Android’s accessibility services, web-inject attacks, screen streaming and hidden virtual network computing (HVNC) to perform successful financial fraud," Intel 471 said. Similar to the recently uncovered Albiriox banking malware, the malware is protected by a crypting service known as apk0day that's offered by Golden Crypt. The malicious a...

A human rights lawyer from Pakistan's Balochistan province received a suspicious link on WhatsApp from an unknown number, marking the first time a civil society member in the country was targeted by Intellexa's Predator spyware, Amnesty International said in a report. The link, the non-profit organization said, is a "Predator attack attempt based on the technical behaviour of the infection server, and on specific characteristics of the one-time infection link which were consistent with previously observed Predator 1-click links." Pakistan has dismissed the allegations, stating "there is not an iota of truth in it." The findings come from a new joint investigation published in collaboration with Israeli newspaper Haaretz, Greek news site Inside Story, and Swiss tech site Inside IT. It's based on documents and other materials leaked from the company, including internal documents, sales and marketing material, and training videos. Intellexa is the mak...

Cybercriminals associated with a financially motivated group known as GoldFactory have been observed staging a fresh round of attacks targeting mobile users in Indonesia, Thailand, and Vietnam by impersonating government services. The activity , observed since October 2024, involves distributing modified banking applications that act as a conduit for Android malware, Group-IB said in a technical report published Wednesday. Assessed to be active as far back as June 2023, GoldFactory first gained attention early last year, when the Singapore-headquartered cybersecurity company detailed the threat actor's use of custom malware families like GoldPickaxe, GoldDigger, and GoldDiggerPlus targeting both Android and iOS devices. Evidence points to GoldFactory being a well-organized Chinese-speaking cybercrime group with close connections to Gigabud , another Android malware that was spotted in mid-2023. Despite major disparities in their codebases, both GoldDigger and Gigabud have bee...

Google on Monday released monthly security updates for the Android operating system, including two vulnerabilities that it said have been exploited in the wild. The patch addresses a total of 107 security flaws spanning different components, including Framework, System, Kernel, as well as those from Arm, Imagination Technologies, MediaTek, Qualcomm, and Unison. The two high-severity shortcomings that have been exploited are listed below - CVE-2025-48633 - An information disclosure vulnerability in Framework CVE-2025-48572 - An elevation of privilege vulnerability in Framework As is customary, Google has not released any additional details about the nature of the attacks exploiting them, if they have been chained together or used separately, and the scale of such efforts. It's not known who is behind the attacks. However, the tech giant acknowledged in its advisory that there are indications they "may be under limited, targeted exploitation." Also fixed by Go...

India's telecommunications ministry has ordered major mobile device manufacturers to preload a government-backed cybersecurity app named Sanchar Saathi on all new phones within 90 days. According to a report from Reuters, the app cannot be deleted or disabled from users' devices. Sanchar Saathi , available on the web and via mobile apps for Android and iOS, allows users to report suspected fraud, spam, and malicious web links through call, SMS, or WhatsApp; block stolen handsets; and allow a mobile subscriber to check the number of mobile connections taken in their name. One of its important features is the ability to report incoming international calls that start with the country code for India (i.e., +91) to facilitate fraud. "Such international calls are received by illegal telecom setups over the internet from foreign countries and sent to Indian citizens disguised as domestic calls," the government notes on the website. "Reporting about such calls help...

A new Android malware named Albiriox has been advertised under a malware-as-a-service (MaaS) model to offer a "full spectrum" of features to facilitate on-device fraud (ODF), screen manipulation, and real-time interaction with infected devices. The malware embeds a hard-coded list comprising over 400 applications spanning banking, financial technology, payment processors, cryptocurrency exchanges, digital wallets, and trading platforms. "The malware leverages dropper applications distributed through social engineering lures, combined with packing techniques, to evade static detection and deliver its payload," Cleafy researchers Federico Valentini, Alessandro Strino, Gianluca Scotti, and Simone Mattia said . Albiriox is said to have been first advertised as part of a limited recruitment phase in late September 2025, before shifting to a MaaS offering a month later. There is evidence to suggest that the threat actors are Russian-speaking based on their activity o...