#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

mobile security | Breaking Cybersecurity News | The Hacker News

Android 15 Rolls Out Advanced Features to Protect Users from Scams and Malicious Apps

Android 15 Rolls Out Advanced Features to Protect Users from Scams and Malicious Apps
May 15, 2024 Android Security / Malware
Google is unveiling a set of new features in Android 15 to prevent malicious apps installed on the device from capturing sensitive data. This constitutes an update to the  Play Integrity API  that third-party app developers can take advantage of to secure their applications against malware. "Developers can check if there are other apps running that could be capturing the screen, creating overlays, or controlling the device," Dave Kleidermacher, vice president of engineering for Android security and privacy,  said . "This is helpful for apps that want to hide sensitive information from other apps and protect users from scams." Additionally, the Play Integrity API can be used to check if  Google Play Protect  is active and if the user's device is free of known malware before performing sensitive actions or handling sensitive data. Google, with Android 13, introduced a feature called  restricted settings  that by default blocks sideloaded apps from accessing

Kremlin-Backed APT28 Targets Polish Institutions in Large-Scale Malware Campaign

Kremlin-Backed APT28 Targets Polish Institutions in Large-Scale Malware Campaign
May 09, 2024 Mobile Security / Cyber Attack
Polish government institutions have been targeted as part of a large-scale malware campaign orchestrated by a Russia-linked nation-state actor called  APT28 . "The campaign sent emails with content intended to arouse the recipient's interest and persuade him to click on the link," the computer emergency response team, CERT Polska,  said  in a Wednesday bulletin. Clicking on the link redirects the victim to the domain run.mocky[.]io, which, in turn, is used to redirect to another legitimate site named webhook[.]site, a  free service  that allows developers to inspect data that's being sent via a webhook, in an effort to evade detection. The next step involves the download of a ZIP archive file from webhook[.]site, which contains the Windows Calculator binary that masquerades as a JPG image file ("IMG-238279780.jpg.exe"), a hidden batch script file, and another hidden DLL file ("WindowsCodecs.dll"). Should a victim run the application, the malic

Xiaomi Android Devices Hit by Multiple Flaws Across Apps and System Components

Xiaomi Android Devices Hit by Multiple Flaws Across Apps and System Components
May 06, 2024 Android / Data Security
Multiple security vulnerabilities have been disclosed in various applications and system components within Xiaomi devices running Android. "The vulnerabilities in Xiaomi led to access to arbitrary activities, receivers and services with system privileges, theft of arbitrary files with system privileges, [and] disclosure of phone, settings and Xiaomi account data," mobile security firm Oversecured  said  in a report shared with The Hacker News. The 20 shortcomings impact different apps and components like - Gallery (com.miui.gallery) GetApps (com.xiaomi.mipicks) Mi Video (com.miui.videoplayer) MIUI Bluetooth (com.xiaomi.bluetooth) Phone Services (com.android.phone) Print Spooler (com.android.printspooler) Security (com.miui.securitycenter) Security Core Component (com.miui.securitycore) Settings (com.android.settings) ShareMe (com.xiaomi.midrop) System Tracing (com.android.traceur), and Xiaomi Cloud (com.miui.cloudservice) Some of the notable flaws include a

Webinar: How to streamline security reviews with Trust Center

cyber security
websiteVantaCompliance / Security Audit
Learn how Vanta Trust Center can help provide real-time evidence for passing controls and automate responses to security questionnaires.

The Ultimate SaaS Security Posture Management Checklist, 2025 Edition

The Ultimate SaaS Security Posture Management Checklist, 2025 Edition
May 22, 2024SaaS Security / Threat Detection
Since the first edition of  The Ultimate SaaS Security Posture Management (SSPM) Checklist  was released three years ago, the corporate SaaS sprawl has been growing at a double-digit pace. In large enterprises, the number of SaaS applications in use today is in the hundreds, spread across departmental stacks, complicating the job of security teams to protect organizations against evolving threats. As SaaS security becomes a top priority, enterprises are turning to SaaS Security Posture Management (SSPM) as an enabler. The  2025 Ultimate SaaS Security Checklist , designed to help organizations choose an SSPM, covers all the features and capabilities that should be included in these solutions. Before diving into each attack surface, when implementing an SSPM solution, it's essential to cover a breadth of integrations, including out-of-the-box and custom app integrations, as well as in-depth security checks. While there are apps that are more sensitive and complex to secure, a breach c

Google Prevented 2.28 Million Malicious Apps from Reaching Play Store in 2023

Google Prevented 2.28 Million Malicious Apps from Reaching Play Store in 2023
Apr 29, 2024 Mobile Security / Hacking
Google on Monday revealed that almost 200,000 app submissions to its Play Store for Android were either rejected or remediated to address issues with access to sensitive data such as location or SMS messages over the past year. The tech giant also said it blocked 333,000 bad accounts from the app storefront in 2023 for attempting to distribute malware or for repeated policy violations. "In 2023, we prevented 2.28 million policy-violating apps from being published on Google Play in part thanks to our investment in new and improved security features, policy updates, and advanced machine learning and app review processes," Google's Steve Kafka, Khawaja Shams, and Mohet Saxena said . "To help safeguard user privacy at scale, we partnered with SDK providers to limit sensitive data access and sharing, enhancing the privacy posture for over 31 SDKs impacting 790K+ apps." In comparison, Google  fended off 1.43 million bad apps  from being published to the Play Sto

Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks

Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks
Apr 28, 2024 Credential Stuffing / Data Breach
Identity and access management (IAM) services provider Okta has warned of a spike in the "frequency and scale" of credential stuffing attacks aimed at online services. These unprecedented attacks, observed over the last month, are said to be facilitated by "the broad availability of residential proxy services, lists of previously stolen credentials ('combo lists'), and scripting tools," the company  said  in an alert published Saturday. The findings build on a  recent advisory  from Cisco, which cautioned of a global surge in brute-force attacks targeting various devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024. "These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Talos noted at the time, adding targets of the attacks comprise VPN appliances from Cisco, Check Point, Fortinet, Soni

New 'Brokewell' Android Malware Spread Through Fake Browser Updates

New 'Brokewell' Android Malware Spread Through Fake Browser Updates
Apr 26, 2024 Mobile Security / Cybercrime
Fake browser updates are being used to push a previously undocumented Android malware called  Brokewell . "Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware," Dutch security firm ThreatFabric  said  in an analysis published Thursday. The malware is said to be in active development, adding new commands to capture touch events, textual information displayed on screen, and the applications a victim launches. The list of Brokewell apps that masquerade as Google Chrome, ID Austria, and Klarna is as follows - jcwAz.EpLIq.vcAZiUGZpK (Google Chrome) zRFxj.ieubP.lWZzwlluca (ID Austria) com.brkwl.upstracking (Klarna) Like other recent Android malware families of its kind, Brokewell is capable of getting around restrictions imposed by Google that prevent sideloaded apps from requesting  accessibility service permissions . The banking trojan, once installed and launched for the first time, pro

Major Security Flaws Expose Keystrokes of Over 1 Billion Chinese Keyboard App Users

Major Security Flaws Expose Keystrokes of Over 1 Billion Chinese Keyboard App Users
Apr 24, 2024 Encryption / Mobile Security
Security vulnerabilities uncovered in cloud-based pinyin keyboard apps could be exploited to reveal users' keystrokes to nefarious actors. The findings come from the Citizen Lab, which discovered weaknesses in eight of nine apps from vendors like Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. The only vendor whose keyboard app did not have any security shortcomings is that of Huawei's. The vulnerabilities could be exploited to "completely reveal the contents of users' keystrokes in transit," researchers Jeffrey Knockel, Mona Wang, and Zoë Reichert  said . The disclosure builds upon prior research from the interdisciplinary laboratory based at the University of Toronto, which identified  cryptographic flaws  in Tencent's Sogou Input Method last August. Collectively, it's estimated that close to one billion users are affected by this class of vulnerabilities, with Input Method Editors (IMEs) from Sogou, Baidu, and iFlytek accounting fo

New Android Trojan 'SoumniBot' Evades Detection with Clever Tricks

New Android Trojan 'SoumniBot' Evades Detection with Clever Tricks
Apr 18, 2024 Mobile Security / Malware
A new Android trojan called  SoumniBot  has been detected in the wild targeting users in South Korea by leveraging weaknesses in the manifest extraction and parsing procedure. The malware is "notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest," Kaspersky researcher Dmitry Kalinin  said  in a technical analysis. Every Android app comes with a  manifest XML file  ("AndroidManifest.xml") that's located in the root directory and declares the various components of the app, as well as the permissions and the hardware and software features it requires. Knowing that threat hunters typically commence their analysis by inspecting the app's manifest file to determine its behavior, the threat actors behind the malware have been found to leverage three different techniques to make the process a lot more challenging. The first method involves the use of an invalid Compression method value when unpackin

Chinese-Linked LightSpy iOS Spyware Targets South Asian iPhone Users

Chinese-Linked LightSpy iOS Spyware Targets South Asian iPhone Users
Apr 15, 2024 Spyware / Mobile Security
Cybersecurity researchers have discovered a "renewed" cyber espionage campaign targeting users in South Asia with the aim of delivering an Apple iOS spyware implant called  LightSpy . "The latest iteration of LightSpy, dubbed 'F_Warehouse,' boasts a modular framework with extensive spying features," the BlackBerry Threat Research and Intelligence Team  said  in a report published last week. There is evidence to suggest that the campaign may have targeted India based on  VirusTotal   submissions  from within its borders. First documented in 2020 by Trend Micro and Kaspersky,  LightSpy  refers to an advanced iOS backdoor that's distributed via watering hole attacks through compromised news sites. A subsequent analysis from ThreatFabric in October 2023  uncovered  infrastructure and functionality overlaps between the malware and DragonEgg, a fully-featured Android spyware attributed to the Chinese nation-state group APT41 (aka Winnti). The initial in

'eXotic Visit' Spyware Campaign Targets Android Users in India and Pakistan

'eXotic Visit' Spyware Campaign Targets Android Users in India and Pakistan
Apr 10, 2024 Mobile Security / Spyware
An active Android malware campaign dubbed eXotic Visit has been primarily targeting users in South Asia, particularly those in India and Pakistan, with malware distributed via dedicated websites and Google Play Store. Slovak cybersecurity firm said the activity, ongoing since November 2021, is not linked to any known threat actor or group. It's tracking the group behind the operation under the name  Virtual Invaders . "Downloaded apps provide legitimate functionality, but also include code from the open-source Android  XploitSPY RAT ," ESET security researcher Lukáš Štefanko  said  in a technical report released today. The campaign is said to be highly targeted in nature, with the apps available on Google Play having negligible number of installs ranging from zero to 45. The apps have since been taken down. The fake-but-functional apps primarily masquerade as messaging services like Alpha Chat, ChitChat, Defcom, Dink Messenger, Signal Lite, TalkU, WeTalk, Wicker Mes

Google Sues App Developers Over Fake Crypto Investment App Scam

Google Sues App Developers Over Fake Crypto Investment App Scam
Apr 08, 2024 Investment Scam / Mobile Security
Google has filed a lawsuit in the U.S. against two app developers for allegedly engaging in an "international online consumer investment fraud scheme" that tricked users into downloading bogus Android apps from the Google Play Store and other sources and stealing their funds under the guise of promising higher returns. The individuals in question are Yunfeng Sun (aka Alphonse Sun) and Hongnam Cheung (aka Zhang Hongnim or Stanford Fischer), who are believed to be based in Shenzhen and Hong Kong, respectively. The defendants are said to have uploaded about 87 crypto apps to the Play Store to pull off the social engineering scam since at least 2019, with over 100,000 users downloading them and leading to substantial financial losses. "The gains conveyed by the apps were illusory," the tech giant said in its complaint. "And the scheme did not end there." "Instead, when individual victims attempted to withdraw their balances, defendants and their co

Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies

Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies
Apr 03, 2024 Mobile Security / Zero Day
Google has disclosed that two Android security flaws impacting its Pixel smartphones have been exploited in the wild by forensic companies. The high-severity zero-day vulnerabilities are as follows - CVE-2024-29745  - An information disclosure flaw in the bootloader component CVE-2024-29748  - A privilege escalation flaw in the firmware component "There are indications that the [vulnerabilities] may be under limited, targeted exploitation," Google  said  in an advisory published April 2, 2024. While the tech giant did not reveal any other information about the nature of the attacks exploiting these shortcomings, the maintainers of GrapheneOS said they "are being actively exploited in the wild by forensic companies." "CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking," they  said  in a series of posts on X (formerly Twitter). "Forensic companies are rebooting devices in After First U

Malicious Apps Caught Secretly Turning Android Phones into Proxies for Cybercriminals

Malicious Apps Caught Secretly Turning Android Phones into Proxies for Cybercriminals
Apr 01, 2024 Botnet / Mobile Security
Several malicious Android apps that turn mobile devices running the operating system into residential proxies (RESIPs) for other threat actors have been observed on the Google Play Store. The findings come from HUMAN's Satori Threat Intelligence team, which said the cluster of VPN apps came fitted with a Golang library that transformed the user's device into a proxy node without their knowledge. The operation has been codenamed  PROXYLIB  by the company. The 29 apps in question have since been removed by Google. Residential proxies are a network of proxy servers sourced from real IP addresses provided by internet service providers (ISPs), helping users hide their actual IP addresses by routing their internet traffic through an intermediary server. The anonymity benefits aside, they are ripe for abuse by threat actors to not only obfuscate their origins, but also to conduct a wide range of attacks. "When a threat actor uses a residential proxy, the traffic from these

Vultur Android Banking Trojan Returns with Upgraded Remote Control Capabilities

Vultur Android Banking Trojan Returns with Upgraded Remote Control Capabilities
Apr 01, 2024 Mobile Security / Data Privacy
The Android banking trojan known as Vultur has resurfaced with a suite of new features and improved anti-analysis and detection evasion techniques, enabling its operators to remotely interact with a mobile device and harvest sensitive data. "Vultur has also started masquerading more of its malicious activity by encrypting its C2 communication, using multiple encrypted payloads that are decrypted on the fly, and using the guise of legitimate applications to carry out its malicious actions," NCC Group researcher Joshua Kamp  said  in a report published last week. Vultur was  first disclosed  in early 2021, with the malware capable of leveraging Android's accessibility services APIs to execute its malicious actions. The malware has been observed to be  distributed via trojanized dropper apps  on the Google Play Store, masquerading as authenticator and productivity apps to trick unwitting users into installing them. These dropper apps are offered as part of a dropper-as-a

PixPirate Android Banking Trojan Using New Evasion Tactic to Target Brazilian Users

PixPirate Android Banking Trojan Using New Evasion Tactic to Target Brazilian Users
Mar 13, 2024 Financial Fraud / Mobile Security
The threat actors behind the PixPirate Android banking trojan are leveraging a new trick to evade detection on compromised devices and harvest sensitive information from users in Brazil. The approach allows it to hide the malicious app's icon from the home screen of the victim's device, IBM said in a technical report published today. "Thanks to this new technique, during PixPirate reconnaissance and attack phases, the victim remains oblivious to the malicious operations that this malware performs in the background," security researcher Nir Somech  said . PixPirate, which was  first documented  by Cleafy in February 2023, is known for its abuse of Android's accessibility services to covertly perform unauthorized fund transfers using the PIX instant payment platform when a targeted banking app is opened. The constantly mutating malware is also capable of stealing victims' online banking credentials and credit card information, as well as capturing keystrokes and intercepting SMS mes

New Banking Trojan CHAVECLOAK Targets Brazilian Users via Phishing Tactics

New Banking Trojan CHAVECLOAK Targets Brazilian Users via Phishing Tactics
Mar 11, 2024 Phishing Attack / Mobile Security
Users in Brazil are the target of a new banking trojan known as  CHAVECLOAK  that's propagated via phishing emails bearing PDF attachments. "This intricate attack involves the PDF downloading a ZIP file and subsequently utilizing DLL side-loading techniques to execute the final malware," Fortinet FortiGuard Labs researcher Cara Lin  said . The attack chain involves the use of contract-themed DocuSign lures to trick users into opening PDF files containing a button to read and sign the documents. In reality, clicking the button leads to the retrieval of an installer file from a remote link that's shortened using the Goo.su URL shortening service. Present within the installer is an executable named "Lightshot.exe" that leverages DLL side-loading to load "Lightshot.dll," which is the CHAVECLOAK malware that facilitates the theft of sensitive information. This includes gathering system metadata and running checks to determine whether the compromis

How Cybercriminals are Exploiting India's UPI for Money Laundering Operations

How Cybercriminals are Exploiting India's UPI for Money Laundering Operations
Mar 04, 2024 Cybercrime / Mobile Security
Cybercriminals are using a network of hired money mules in India using an Android-based application to orchestrate a massive money laundering scheme. The malicious application, called  XHelper , is a "key tool for onboarding and managing these money mules," CloudSEK researchers Sparsh Kulshrestha, Abhishek Mathew, and Santripti Bhujel  said  in a report. Details about the scam  first emerged  in late October 2023, when Chinese cyber criminals were found to take advantage of the fact that Indian Unified Payments Interface ( UPI ) service providers operate without coverage under the Prevention of Money Laundering Act (PMLA) to initiate illegal transactions under the guise of offering an instant loan. The ill-gotten proceeds from the operation are transferred to other accounts belonging to hired mules, who are recruited from Telegram in return for commissions ranging from 1-2% of the total transaction amounts. "Central to this operation are Chinese payment gateways ex
Expert Insights
Cybersecurity Resources