spyware | Breaking Cybersecurity News | The Hacker News

The Russia-linked state-sponsored threat actor tracked as Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome , marking the first time the adversary has been discovered using mobile-only malware families in its attack campaigns. "BoneSpy and PlainGnome target former Soviet states and focus on Russian-speaking victims," Lookout said in an analysis. "Both BoneSpy and PlainGnome collect data such as SMS messages, call logs, phone call audio, photos from device cameras, device location, and contact lists." Gamaredon , also called Aqua Blizzard, Armageddon, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder, is a hacking group affiliated with Russia's Federal Security Service (FSB). Last week, Recorded Future's Insikt Group revealed the threat actor's use of Cloudflare Tunnels as a tactic to conceal its staging infrastructure hosting malicious payload...

Cybersecurity researchers have discovered a novel surveillance program that's suspected to be used by Chinese police departments as a lawful intercept tool to gather a wide range of information from mobile devices. The Android tool, codenamed EagleMsgSpy by Lookout, has been operational since at least 2017, with artifacts uploaded to the VirusTotal malware scanning platform as recently as September 25, 2024. "The surveillanceware consists of two parts: an installer APK, and a surveillance client that runs headlessly on the device when installed," Kristina Balaam, senior staff threat intelligence researcher at Lookout, said in a technical report shared with The Hacker News. "EagleMsgSpy collects extensive data from the user: third-party chat messages, screen recording and screenshot capture, audio recordings, call logs, device contacts, SMS messages, location data, [and] network activity." EagleMsgSpy has been described by its developers as a "compreh...

Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident.  At its core, Vulnerability Management processes remain essential for identifying and addressing weaknesses. But as time marches on and attack avenues evolve, this approach is beginning to show its age. In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. We feel it's more than a worthwhile read an...

A Russian programmer accused of donating money to Ukraine had his Android device secretly implanted with spyware by the Federal Security Service (FSB) after he was detained earlier this year. The findings come as part of a collaborative investigation by First Department and the University of Toronto's Citizen Lab . "The spyware placed on his device allows the operator to track a target device's location, record phone calls, keystrokes, and read messages from encrypted messaging apps, among other capabilities," according to the report. In May 2024, Kirill Parubets was released from custody after a 15-day period in administrative detention by Russian authorities, during which time his phone, an Oukitel WP7 phone running Android 10, was confiscated from him. During this period, not only was he beaten to compel him into revealing his device password, he was also subjected to an "intense effort" to recruit him as an informant for the FSB, or else risk fac...

Apple has released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have come under active exploitation in the wild. The flaws are listed below - CVE-2024-44308 (CVSS score: 8.8)  - A vulnerability in JavaScriptCore that could lead to arbitrary code execution when processing malicious web content CVE-2024-44309 (CVSS score: 6.1)  - A cookie management vulnerability in WebKit that could lead to a cross-site scripting (XSS) attack when processing malicious web content The iPhone maker said it addressed CVE-2024-44308 and CVE-2024-44309 with improved checks and improved state management, respectively.  Not much is known about the exact nature of the exploitation, but Apple has acknowledged that the pair of vulnerabilities "may have been actively exploited on Intel-based Mac systems." Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group (TAG) have been credited with discovering and report...

Legal documents released as part of an ongoing legal tussle between Meta's WhatsApp and NSO Group have revealed that the Israeli spyware vendor used multiple exploits targeting the messaging app to deliver Pegasus, including one even after it was sued by Meta for doing so. They also show that NSO Group repeatedly found ways to install the invasive surveillance tool on the target's devices as WhatsApp erected new defenses to counter the threat. In May 2019, WhatsApp said it blocked a sophisticated cyber attack that exploited its video calling system to deliver Pegasus malware surreptitiously. The attack leveraged a then zero-day flaw tracked as CVE-2019-3568 (CVSS score: 9.8), a critical buffer overflow bug in the voice call functionality. The documents now show that NSO Group "developed yet another installation vector (known as Erised) that also used WhatsApp servers to install Pegasus." The attack vector – a zero-click exploit that could compromise a victim...

Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up. "While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ significantly due to platform differences," ThreatFabric said in an analysis published this week. LightSpy, first documented in 2020 as targeting users in Hong Kong, is a modular implant that employs a plugin-based architecture to augment its capabilities and allow it to capture a wide range of sensitive information from an infected device. Attack chains distributing the malware leverage known security flaws in Apple iOS and macOS to trigger a WebKit exploit that drops a file with the extension ".PNG," but is actually a Mach-O binary responsible for retrieving next-stage payloads...

Google has revealed the various security guardrails that have been incorporated into its latest Pixel devices to counter the rising threat posed by baseband security attacks. The cellular baseband (i.e., modem) refers to a processor on the device that's responsible for handling all connectivity, such as LTE, 4G, and 5G, with a mobile phone cell tower or base station over a radio interface. "This function inherently involves processing external inputs, which may originate from untrusted sources," Sherk Chung and Stephan Chen from the Pixel team, and Roger Piqueras Jover and Ivan Lozano from the company's Android team said in a blog post shared with The Hacker News. "For instance, malicious actors can employ false base stations to inject fabricated or manipulated network packets. In certain protocols like IMS (IP Multimedia Subsystem), this can be executed remotely from any global location using an IMS client." What's more, the firmware powering the...

A now-patched security vulnerability in OpenAI's ChatGPT app for macOS could have made it possible for attackers to plant long-term persistent spyware into the artificial intelligence (AI) tool's memory. The technique, dubbed SpAIware , could be abused to facilitate "continuous data exfiltration of any information the user typed or responses received by ChatGPT, including any future chat sessions," security researcher Johann Rehberger said . The issue, at its core, abuses a feature called memory , which OpenAI introduced earlier this February before rolling it out to ChatGPT Free, Plus, Team, and Enterprise users at the start of the month. What it does is essentially allow ChatGPT to remember certain things across chats so that it saves users the effort of repeating the same information over and over again. Users also have the option to instruct the program to forget something. "ChatGPT's memories evolve with your interactions and aren't linked to s...

The U.S. Department of Treasury has imposed fresh sanctions against five executives and one entity with ties to the Intellexa Consortium for their role in the development, operation, and distribution of a commercial spyware called Predator. "The United States will not tolerate the reckless propagation of disruptive technologies that threatens our national security and undermines the privacy and civil liberties of our citizens," said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence, Bradley T. Smith. "We will continue to hold accountable those that seek to enable the proliferation of exploitative technologies, while also encouraging the responsible development of technologies that align with international standards." The sanctioned individuals and entities are listed below - Felix Bitzios, the beneficial owner of an Intellexa Consortium company that's believed to have supplied Predator to a foreign government client and the ...

Apple has filed a motion to "voluntarily" dismiss its lawsuit against commercial spyware vendor NSO Group, citing a shifting risk landscape that could lead to exposure of critical "threat intelligence" information. The development was first reported by The Washington Post on Friday. The iPhone maker said its efforts, coupled with those of others in the industry and national governments to tackle the rise of commercial spyware, have "substantially weakened" the defendants. "At the same time, unfortunately, other malicious actors have arisen in the commercial spyware industry," the company said. "It is because of this combination of factors that Apple now seeks voluntary dismissal of this case." "While Apple continues to believe in the merits of its claims, it has also determined that proceeding further with this case has the potential to put vital security information at risk." Apple originally filed the lawsuit again...

Users in Russia have been the target of a previously undocumented Android post-compromise spyware called LianSpy since at least 2021. Cybersecurity vendor Kaspersky, which discovered the malware in March 2024, noted its use of Yandex Cloud, a Russian cloud service, for command-and-control (C2) communications as a way to avoid having a dedicated infrastructure and evade detection. "This threat is equipped to capture screencasts, exfiltrate user files, and harvest call logs and app lists," security researcher Dmitry Kalinin said in a new technical report published Monday. It's currently not clear how the spyware is distributed, but the Russian company said it's likely deployed through either an unknown security flaw or direct physical access to the target phone. The malware-laced apps are disguised as Alipay or an Android system service. LianSpy, once activated, determines if it's running as a system app to operate in the background using administrator privi...

A new iteration of a sophisticated Android spyware called Mandrake has been discovered in five applications that were available for download from the Google Play Store and remained undetected for two years. The applications attracted a total of more than 32,000 installations before being pulled from the app storefront, Kaspersky said in a Monday write-up. A majority of the downloads originated from Canada, Germany, Italy, Mexico, Spain, Peru, and the U.K. "The new samples included new layers of obfuscation and evasion techniques, such as moving malicious functionality to obfuscated native libraries, using certificate pinning for C2 communications, and performing a wide array of tests to check if Mandrake was running on a rooted device or in an emulated environment," researchers Tatyana Shishkova and Igor Golovin said . Mandrake was first documented by Romanian cybersecurity vendor Bitdefender in May 2020, describing its deliberate approach to infect a handful of devices...

Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland, and the U.S. "MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems," Fortinet FortiGuard Labs researcher Cara Lin said in a report published last week. The starting point of the attack chain is a Microsoft Word document that ostensibly contains a job description for a software engineer role. But opening the file triggers the exploitation of CVE-2021-40444 , a high-severity flaw in MSHTML that could result in remote code execution without requiring any user interaction. It was addressed by Microsoft as part of Patch Tuesday updates released in September 2021. In this case, it paves the way for the download of an HTML file ("olerender.html") from a remote s...

The threat actor known as Transparent Tribe has continued to unleash malware-laced Android apps as part of a social engineering campaign to target individuals of interest. "These APKs continue the group's trend of embedding spyware into curated video browsing applications, with a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans," SentinelOne security researcher Alex Delamotte said in a new report shared with The Hacker News. The campaign, dubbed CapraTube, was first outlined by the cybersecurity company in September 2023, with the hacking crew employing weaponized Android apps impersonating legitimate apps like YouTube to deliver a spyware called CapraRAT, a modified version of AndroRAT with capabilities to capture a wide range of sensitive data. Transparent Tribe, suspected to be of Pakistan origin, has leveraged CapraRAT for over two years in attacks targeting the Indian government and military personnel. The group has a history of lea...

The threat actor known as Arid Viper has been attributed to a mobile espionage campaign that leverages trojanized Android apps to deliver a spyware strain dubbed AridSpy. "The malware is distributed through dedicated websites impersonating various messaging apps, a job opportunity app, and a Palestinian Civil Registry app," ESET researcher Lukáš Štefanko said in a report published today. "Often these are existing applications that had been trojanized by the addition of AridSpy's malicious code." The activity is said to have spanned as many as five campaigns since 2022, with prior variants of AridSpy documented by Zimperium and 360 Beacon Labs . Three out of the five campaigns are still active. Arid Viper, a suspected Hamas-affiliated actor which is also called APT-C-23, Desert Falcon, Grey Karkadann, Mantis, and Two-tailed Scorpion, has a long track record of using mobile malware since its emergence in 2017. "Arid Viper has historically targeted mil...

Microsoft on Friday said it will disable its much-criticized artificial intelligence (AI)-powered Recall feature by default and make it an opt-in. Recall , currently in preview and coming exclusively to Copilot+ PCs on June 18, 2024, functions as an "explorable visual timeline" by capturing screenshots of what appears on users' screens every five seconds, which are subsequently analyzed and parsed to surface relevant information. But the feature, meant to serve as some sort of an AI-enabled photographic memory, was met with instantaneous backlash from the security and privacy community, which excoriated the company for having not thought through enough and implementing adequate safeguards that could prevent malicious actors from easily gaining a window into a victim's digital life. The recorded information could include screenshots of documents, emails, or messages containing sensitive details that may have been deleted or shared temporarily using disappearing ...