mobile security | Breaking Cybersecurity News | The Hacker News

Google has revealed that its transition to memory-safe languages such as Rust as part of its secure-by-design approach has led to the percentage of memory-safe vulnerabilities discovered in Android dropping from 76% to 24% over a period of six years. The tech giant said focusing on Safe Coding for new features not only reduces the overall security risk of a codebase, but also makes the switch more "scalable and cost-effective." Eventually, this leads to a drop in memory safety vulnerabilities as new memory unsafe development slows down after a certain period of time, and new memory safe development takes over, Google's Jeff Vander Stoep and Alex Rebert said in a post shared with The Hacker News. Perhaps even more interestingly, the number of memory safety vulnerabilities tends to register a drop notwithstanding an increase in the quantity of new memory unsafe code. The paradox is explained by the fact that vulnerabilities decay exponentially, with a study finding ...

Altered versions of legitimate Android apps associated with Spotify, WhatsApp, and Minecraft have been used to deliver a new version of a known malware loader called Necro. Kaspersky said some of the malicious apps have also been found on the Google Play Store. They have been cumulatively downloaded 11 million times. They include - Wuta Camera - Nice Shot Always (com.benqu.wuta) - 10+ million downloads Max Browser-Private & Security (com.max.browser) - 1+ million downloads As of writing, Max Browser is no longer available for download from the Play Store. Wuta Camera, on the other hand, has been updated (version 6.3.7.138) to remove the malware. The latest version of the app, 6.3.8.148, was released on September 8, 2024. It's currently not clear how both the apps were compromised with the malware in the first place, although it's believed that a rogue software developer kit (SDK) for integrating advertising capabilities is the culprit. Necro (not to be confused w...

Cybersecurity researchers have discovered a new version of an Android banking trojan called Octo that comes with improved capabilities to conduct device takeover ( DTO ) and perform fraudulent transactions. The new version has been codenamed Octo2 by the malware author, Dutch security firm ThreatFabric said in a report shared with The Hacker News, adding campaigns distributing the malware have been spotted in European countries like Italy, Poland, Moldova, and Hungary. "The malware developers took actions to increase the stability of the remote actions capabilities needed for Device Takeover attacks," the company said . Some of the malicious apps containing Octo2 are listed below - Europe Enterprise (com.xsusb_restore3) Google Chrome (com.havirtual06numberresources) NordVPN (com.handedfastee5) Octo was first flagged by the company in early 2022, describing it as the work of a threat actor who goes by the online aliases Architect and goodluck. It has been assessed...

Law enforcement authorities have announced the takedown of an international criminal network that leveraged a phishing platform to unlock stolen or lost mobile phones. The phishing-as-a-service (PhaaS) platform, called iServer, is estimated to have claimed more than 483,000 victims globally, led by Chile (77,000), Colombia (70,000), Ecuador (42,000), Peru (41,500), Spain (30,000), and Argentina (29,000). "The victims are mainly Spanish-speaking nationals from European, North American and South American countries," Europol said in a press statement. The action, dubbed Operation Kaerb, involved the participation of law enforcement and judicial agencies from Spain, Argentina, Chile, Colombia, Ecuador, and Peru. Pursuant to the joint exercise that took place between September 10 and 17, an Argentinian national responsible for developing and running the PhaaS service since 2018 has been arrested. In total, the operation led to 17 arrests, 28 searches, and the seizure of 92...

The GSM Association (GSMA), the governing body that oversees the development of the Rich Communications Services (RCS) protocol, on Tuesday, said it's working towards implementing end-to-end encryption (E2EE) to secure messages sent between the Android and iOS ecosystems. "The next major milestone is for the RCS Universal Profile to add important user protections such as interoperable end-to-end encryption," Tom Van Pelt, technical director of GSMA, said . "This will be the first deployment of standardized, interoperable messaging encryption between different computing platforms, addressing significant technical challenges such as key federation and cryptographically-enforced group membership." The development comes a day after Apple officially rolled out iOS 18 with support for RCS in its Messages app, which comes with advanced features like message reactions, typing indications, read receipts, and high-quality media sharing, among others. RCS, an impro...

Cryptocurrency exchange Binance is warning of an "ongoing" global threat that's targeting cryptocurrency users with clipper malware with the goal of facilitating financial fraud. Clipper malware, also called ClipBankers , is a type of malware that Microsoft calls cryware , which comes with capabilities to monitor a victim's clipboard activity and steal sensitive data a user copies, including replacing cryptocurrency addresses with those under an attacker's control. In doing so, digital asset transfers initiated on a compromised system are routed to a rogue wallet instead of the intended destination address. "In clipping and switching, a cryware monitors the contents of a user's clipboard and uses string search patterns to look for and identify a string resembling a hot wallet address," the tech giant noted way back in 2022. "If the target user pastes or uses CTRL + V into an application window, the cryware replaces the object in the clipbo...

Cybersecurity researchers have uncovered a new variant of an Android banking trojan called TrickMo that comes packed with new capabilities to evade analysis and display fake login screens to capture victims' banking credentials. "The mechanisms include using malformed ZIP files in combination with JSONPacker," Cleafy security researchers Michele Roviello and Alessandro Strino said . "In addition, the application is installed through a dropper app that shares the same anti-analysis mechanisms." "These features are designed to evade detection and hinder cybersecurity professionals' efforts to analyze and mitigate the malware." TrickMo, first caught in the wild by CERT-Bund in September 2019, has a history of targeting Android devices, particularly targeting users in Germany to siphon one-time passwords (OTPs) and other two-factor authentication (2FA) codes to facilitate financial fraud. The mobile-focused malware is assessed to be the work of ...

Bank customers in the Central Asia region have been targeted by a new strain of Android malware codenamed Ajina.Banker since at least November 2023 with the goal of harvesting financial information and intercepting two-factor authentication (2FA) messages. Singapore-headquartered Group-IB, which discovered the threat in May 2024, said the malware is propagated via a network of Telegram channels set up by the threat actors under the guise of legitimate applications related to banking, payment systems, and government services, or everyday utilities. "The attacker has a network of affiliates motivated by financial gain, spreading Android banker malware that targets ordinary users," security researchers Boris Martynyuk, Pavel Naumov, and Anvar Anarkulov said . Targets of the ongoing campaign include countries such as Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan. There is evidence to suggest that some aspects of...

Android device users in South Korea have emerged as a target of a new mobile malware campaign that delivers a new type of threat dubbed SpyAgent . The malware "targets mnemonic keys by scanning for images on your device that might contain them," McAfee Labs researcher SangRyol Ryu said in an analysis, adding the targeting footprint has broadened in scope to include the U.K. The campaign makes use of bogus Android apps that are disguised as seemingly legitimate banking, government facilities, streaming, and utility apps in an attempt to trick users into installing them. As many as 280 fake applications have been detected since the start of the year. It all starts with SMS messages bearing booby-trapped links that urge users to download the apps in question in the form of APK files hosted on deceptive sites. Once installed, they are designed to request intrusive permissions to collect data from the devices. This includes contacts, SMS messages, photos, and other device i...

Google has released its monthly security updates for the Android operating system to address a known security flaw that it said has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2024-32896 (CVSS score: 7.8), relates to a case of privilege escalation in the Android Framework component. According to the description of the bug in the NIST National Vulnerability Database (NVD), it concerns a logic error that could lead to local escalation of privileges without requiring any additional execution privileges. "There are indications that CVE-2024-32896 may be under limited, targeted exploitation," Google said in its Android Security Bulletin for September 2024. It's worth noting that CVE-2024-32896 was first disclosed in June 2024 as impacting only the Google-owned Pixel lineup. There are currently no details on how the vulnerability is being exploited in the wild, although GrapheneOS maintainers revealed that CVE-2024-32896...

Mobile users in Brazil are the target of a new malware campaign that delivers a new Android banking trojan named Rocinante. "This malware family is capable of performing keylogging using the Accessibility Service, and is also able to steal PII from its victims using phishing screens posing as different banks," Dutch security company ThreatFabric said . "Finally, it can use all this exfiltrated information to perform device takeover (DTO) of the device, by leveraging the accessibility service privileges to achieve full remote access on the infected device." Some of the prominent targets of the malware include financial institutions such as Itaú Shop, Santander, with the phony apps masquerading as Bradesco Prime and Correios Celular, among others - Livelo Pontos (com.resgatelivelo.cash) Correios Recarga (com.correiosrecarga.android) Bradesco Prime (com.resgatelivelo.cash) Módulo de Segurança (com.viberotion1414.app) Source code analysis of the malware has ...

Cybersecurity researchers have flagged multiple in-the-wild exploit campaigns that leveraged now-patched flaws in Apple Safari and Google Chrome browsers to infect mobile users with information-stealing malware. "These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices," Google Threat Analysis Group (TAG) researcher Clement Lecigne said in a report shared with The Hacker News. The activity, observed between November 2023 and July 2024, is notable for delivering the exploits by means of a watering hole attack on Mongolian government websites, cabinet.gov[.]mn and mfa.gov[.]mn. A watering hole attack, also called a strategic website compromise attack, is a form of cyber attack that targets groups of users or those within a particular industry by compromising websites that they commonly visit in order to serve them with malware and gain access to their systems. The intrusion set has been attributed wi...

Cybersecurity researchers have uncovered new Android malware that can relay victims' contactless payment data from physical credit and debit cards to an attacker-controlled device with the goal of conducting fraudulent operations. The Slovak cybersecurity company is tracking the novel malware as NGate, stating it observed the crimeware campaign targeting three banks in Czechia. The malware "has the unique ability to relay data from victims' payment cards, via a malicious app installed on their Android devices, to the attacker's rooted Android phone," researchers Lukáš Štefanko and Jakub Osmani said in an analysis. The activity is part of a broader campaign that has been found to target financial institutions in Czechia since November 2023 using malicious progressive web apps (PWAs) and WebAPKs. The first recorded use of NGate was in March 2024. The end goal of the attacks is to clone near-field communication (NFC) data from victims' physical payment ca...

Meta Platforms on Friday became the latest company after Microsoft, Google, and OpenAI to expose the activities of an Iranian state-sponsored threat actor, who it said used a set of WhatsApp accounts that attempted to target individuals in Israel, Palestine, Iran, the U.K., and the U.S. The activity cluster, which originated from Iran, "appeared to have focused on political and diplomatic officials, and other public figures, including some associated with administrations of President Biden and former President Trump," Meta said . The social media giant attributed it to a nation-state actor tracked as APT42, which is also known as Charming Kitten, Damselfly, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda. It's assessed to be linked to Iran's Islamic Revolutionary Guard Corps (IRGC). The adversarial collective is well-known for its use of sophisticated social engineering lures to spear-phish targets of interest with malware and steal their credenti...

What is Continuous Attack Surface Penetration Testing or CASPT? Continuous Penetration Testing or Continuous Attack Surface Penetration Testing (CASPT) is an advanced security practice that involves the continuous, automated, and ongoing penetration testing services of an organization's digital assets to identify and mitigate security vulnerabilities. CASPT is designed for enterprises with an evolving attack surface where periodic pentesting is no longer sufficient. Unlike traditional penetration testing, which is often performed annually or semi-annually, CASPT is an ongoing process that integrates directly into the software development lifecycle (SDLC), ensuring that vulnerabilities are discovered and addressed in real-time or near-real-time. CASPT is a proactive security measure designed to stay ahead of potential attackers by continuously evaluating the security posture of an organization. It enables security teams to identify critical entry points that could be exploited b...