spyware | Breaking Cybersecurity News | The Hacker News

Apple on Monday backported fixes for a recently patched security flaw that has been actively exploited in the wild. The vulnerability in question is CVE-2025-43300 (CVSS score: 8.8), an out-of-bounds write issue in the ImageIO component that could result in memory corruption when processing a malicious image file. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals," the company said. Since then, WhatsApp has acknowledged that a vulnerability in its messaging apps for Apple iOS and macOS (CVE-2025-55177, CVSS score: 5.4) had been chained with CVE-2025-43300 as part of highly-targeted spyware attacks aimed at less than 200 individuals. While the shortcoming was first addressed by the iPhone maker late last month with the release of iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Ventura 13.7.8, macOS Sonoma 14.7.8, and macOS Sequoia 15.6.1, it has also been released for the f...

Apple has notified users in France of a spyware campaign targeting their devices, according to the Computer Emergency Response Team of France (CERT-FR). The agency said the alerts were sent out on September 3, 2025, making it the fourth time this year that Apple has notified citizens in the county that at least one of the devices linked to their iCloud accounts may have been compromised as part of highly-targeted attacks. The agency did not share further details on what triggered these alerts. Previous threat notifications were sent on March 5, April 29 , and June 25. Apple has been sending these notices since November 2021. "These complex attacks target individuals for their status or function: journalists, lawyers, activists, politicians, senior officials, members of steering committees of strategic sectors, etc," CERT-FR said. The development comes less than a month after it emerged that a security flaw in WhatsApp ( CVE-2025-55177 , CVSS score: 5.4) was chained wi...

Apple on Tuesday revealed a new security feature called Memory Integrity Enforcement (MIE) that's built into its newly introduced iPhone models, including iPhone 17 and iPhone Air. MIE, per the tech giant, offers "always-on memory safety protection" across critical attack surfaces such as the kernel and over 70 userland processes without sacrificing device performance by designing its A19 and A19 Pro chips keeping this aspect in mind. "Memory Integrity Enforcement is built on the robust foundation provided by our secure memory allocators, coupled with Enhanced Memory Tagging Extension (EMTE) in synchronous mode, and supported by extensive Tag Confidentiality Enforcement policies," the company noted . The effort is an aim to improve memory safety and prevent bad actors, specifically those leveraging mercenary spyware , from weaponizing such flaws in the first place to break into devices as part of highly-targeted attacks. The technology that underpins MIE...

Cybersecurity researchers are calling attention to a new shift in the Android malware landscape where dropper apps, which are typically used to deliver banking trojans, to also distribute simpler malware such as SMS stealers and basic spyware. These campaigns are propagated via dropper apps masquerading as government or banking apps in India and other parts of Asia, ThreatFabric said in a report last week. The Dutch mobile security firm said the change is driven by recent security protections that Google has piloted in select markets like Singapore, Thailand, Brazil, and India to block sideloading of potentially suspicious apps requesting dangerous permissions like SMS messages and accessibility services , a heavily abused setting to carry out malicious actions on Android devices.  "Google Play Protect's defences, particularly the targeted Pilot Program, are increasingly effective at stopping risky apps before they run," the company said. "Second, actors want t...

WhatsApp has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks. The vulnerability, CVE-2025-55177 (CVSS score: 5.4), relates to a case of insufficient authorization of linked device synchronization messages. Internal researchers on the WhatsApp Security Team have been credited with discovering and rerating the bug. The Meta-owned company said the issue "could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target's device." The flaw affects the following versions - WhatsApp for iOS prior to version 2.25.21.73 (Patched on July 28, 2025) WhatsApp Business for iOS version 2.25.21.78 (Patched on August 4, 2025), and WhatsApp for Mac version 2.25.21.78  (Patched on August 4, 2025) It also assessed that the shortcoming may have been chained with CVE-2025-43300, a ...

An abandoned update server associated with input method editor (IME) software Sogou Zhuyin was leveraged by threat actors as part of an espionage campaign to deliver several malware families, including C6DOOR and GTELAM, in attacks primarily targeting users across Eastern Asia. "Attackers employed sophisticated infection chains, such as hijacked software updates and fake cloud storage or login pages, to distribute malware and collect sensitive information," Trend Micro researchers Nick Dai and Pierre Lee said in an exhaustive report. The campaign, identified in June 2025, has been codenamed TAOTH by the cybersecurity company. Targets of the activity mainly include dissidents, journalists, researchers, and technology/business leaders in China, Taiwan, Hong Kong, Japan, South Korea, and overseas Taiwanese communities. Taiwan accounts for 49% of all targets, followed by Cambodia (11%) and the U.S. (7%). It's said the attackers, in October 2024, took control of the laps...

A threat activity cluster known as ShadowSilk has been attributed to a fresh set of attacks targeting government entities within Central Asia and Asia-Pacific (APAC). According to Group-IB, nearly three dozen victims have been identified, with the intrusions mainly geared towards data exfiltration. The hacking group shares toolset and infrastructural overlaps with campaigns undertaken by threat actors dubbed YoroTrooper, SturgeonPhisher, and Silent Lynx. Victims of the group's campaigns span Uzbekistan, Kyrgyzstan, Myanmar, Tajikistan, Pakistan, and Turkmenistan, a majority of which are government organizations, and to a lesser extent, entities in the energy, manufacturing, retail, and transportation sectors. "The operation is run by a bilingual crew – Russian-speaking developers tied to legacy YoroTrooper code and Chinese-speaking operators spearheading intrusions, resulting in a nimble, multi-regional threat profile," researchers Nikita Rostovcev and Sergei Turner ...

Cybersecurity researchers have discovered a new variant of an Android banking trojan called HOOK that features ransomware-style overlay screens to display extortion messages. "A prominent characteristic of the latest variant is its capacity to deploy a full-screen ransomware overlay, which aims to coerce the victim into remitting a ransom payment," Zimperium zLabs researcher Vishnu Pratapagiri said . "This overlay presents an alarming '*WARNING*' message, alongside a wallet address and amount, both of which are dynamically retrieved from the command-and-control server." The mobile security company said the overlay is remotely initiated when the command "ransome" is issued by the C2 server. The overlay can be dismissed by the attacker by sending the "delete_ransome" command. HOOK is assessed to be an offshoot of the ERMAC banking trojan, which, coincidentally, had its source code leaked on a publicly accessible directory over the int...

Google has released security updates to address multiple security flaws in Android, including fixes for two Qualcomm bugs that were flagged as actively exploited in the wild. The vulnerabilities include CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5), both of which were disclosed alongside CVE-2025-21480 (CVSS score: 8.6), by the chipmaker back in June 2025. CVE-2025-21479 relates to an incorrect authorization vulnerability in the Graphics component that could lead to memory corruption due to unauthorized command execution in GPU microcode. CVE-2025-27038, on the other hand, use-after-free vulnerability in the Graphics component that could result in memory corruption while rendering graphics using Adreno GPU drivers in Chrome. There are still no details on how these shortcomings have been weaponized in real-world attacks, but Qualcomm noted at the time that "there are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CV...

Cybersecurity researchers have unearthed new Android spyware artifacts that are likely affiliated with the Iranian Ministry of Intelligence and Security (MOIS) and have been distributed to targets by masquerading as VPN apps and Starlink, a satellite internet connection service offered by SpaceX. Mobile security vendor Lookout said it discovered four samples of a surveillanceware tool it tracks as DCHSpy one week after the onset of the Israel-Iran conflict last month. Exactly how many people may have installed these apps is not clear. "DCHSpy collects WhatsApp data, accounts, contacts, SMS, files, location, and call logs, and can record audio and take photos," security researchers Alemdar Islamoglu and Justin Albrecht said . First detected in July 2023, DCHSpy is assessed to be the handiwork of MuddyWater , an Iranian nation-state group tied to MOIS. The hacking crew is also called Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Se...

Russian organizations have been targeted as part of an ongoing campaign that delivers a previously undocumented Windows spyware called Batavia. The activity, per cybersecurity vendor Kaspersky, has been active since July 2024. "The targeted attack begins with bait emails containing malicious links, sent under the pretext of signing a contract," the Russian company said . "The main goal of the attack is to infect organizations with the previously unknown Batavia spyware, which then proceeds to steal internal documents." The email messages are sent from the domain "oblast-ru[.]com," which is said to be owned by the attackers themselves. The links embedded within the digital missives lead to the download of an archive file containing a Visual Basic Encoded script (.VBE) file. When executed, the script profiles the compromised host and exfiltrates the system information to the remote server. This is followed by the retrieval of a next-stage payload from t...

A mobile ad fraud operation dubbed IconAds that consisted of 352 Android apps has been disrupted, according to a new report from HUMAN. The identified apps were designed to load out-of-context ads on a user's screen and hide their icons from the device home screen launcher, making it harder for victims to remove them, per the company's Satori Threat Intelligence and Research Team. The apps have since been removed from the Play Store by Google. The ad fraud scheme accounted for 1.2 billion bid requests a day, at the height of its activity. The vast majority of IconAds-associated traffic originated from Brazil, Mexico, and the United States. It's worth noting that IconAds is a variant of a threat that's also tracked by other cybersecurity vendors under the names HiddenAds and Vapor , with the malicious apps repeatedly slipping past the Google Play Store since at least 2019 . Some of the common characteristics of these apps include the use of obfuscation to conceal...

Cybersecurity researchers have exposed the inner workings of an Android malware called AntiDot that has compromised over 3,775 devices as part of 273 unique campaigns. "Operated by the financially motivated threat actor LARVA-398, AntiDot is actively sold as a Malware-as-a-Service (MaaS) on underground forums and has been linked to a wide range of mobile campaigns," PRODAFT said in a report shared with The Hacker News. AntiDot is advertised as a "three-in-one" solution with capabilities to record the device screen by abusing Android's accessibility services, intercept SMS messages, and extract sensitive data from third-party applications. The Android botnet is suspected to be delivered via malicious advertising networks or through highly tailored phishing campaigns based on activity that indicates selective targeting of victims based on language and geographic location. AntiDot was first publicly documented in May 2024 after it was spotted being distribu...

Apple has disclosed that a now-patched security flaw present in its Messages app was actively exploited in the wild to target civil society members in sophisticated cyber attacks. The vulnerability, tracked as CVE-2025-43200, was addressed on February 10, 2025, as part of iOS 18.3.1, iPadOS 18.3.1 , iPadOS 17.7.5 , macOS Sequoia 15.3.1 , macOS Sonoma 14.7.4 , macOS Ventura 13.7.4 , watchOS 11.3.1 , and visionOS 2.3.1 . "A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link," the company said in an advisory, adding the vulnerability was addressed with improved checks. The iPhone maker also acknowledged that it's aware the vulnerability "may have been exploited in an extremely sophisticated attack against specifically targeted individuals." It's worth noting that the iOS 18.3.1, iPadOS 18.3.1, and iPadOS 17.7.5 updates also resolved another actively exploited zero-day tracked as CVE-2025-24200. It's curr...

Qualcomm has shipped security updates to address three zero-day vulnerabilities that it said have been exploited in limited, targeted attacks in the wild. The flaws in question, which were responsibly disclosed to the company by the Google Android Security team, are listed below - CVE-2025-21479 and CVE-2025-21480 (CVSS score: 8.6) - Two incorrect authorization vulnerabilities in the Graphics component that could result in memory corruption due to unauthorized command execution in GPU microcode while executing a specific sequence of commands CVE-2025-27038 (CVSS score: 7.5) - A use-after-free vulnerability in the Graphics component that could result in memory corruption while rendering graphics using Adreno GPU drivers in Chrome "There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation," Qualcomm said in an advisory. "Patches for the issues affecting the Adreno Grap...