With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.

Threat info

  • Ajina Android banking trojan has been targeting mobile banking users in Central Asia, particularly Uzbekistan, since November. It steals banking information and intercepts 2FA codes sent via SMS. It is distributed mostly via Telegram channels and sometimes via web resources. Ajina requests accessibility service permission to prevent uninstallation and acquire additional permissions.
  • Binance cryptocurrency exchange warns of a significant spike in clipper malware activity, especially on Android and web platforms. Clipper malware swaps wallet addresses in the clipboard with an attacker-controlled one, and thus victims transfer money to the attacker’s wallet when copy-pasting a wallet address in their genuine transactions. This malware campaign led to serious financial losses.
  • Copybara Android banking trojan campaign spreads via fake apps impersonating popular financial apps in Italy and Spain. Victims receive instructions over the phone (vishing) on how to install the malware. Copybara abuses Android’s accessibility service and supports major banking trojan features like keylogging, SMS stealing, overlay attacks, screen sharing, and remote control. The latest variants implement the MQTT protocol for communication with the C2 server.
  • Meta blocked malicious WhatsApp accounts due to their role in phishing campaigns against political and diplomatic officials and other public figures. This activity is attributed to Iran-sponsored threat actor APT42.
  • Microsoft’s cloud application Sway is misused to distribute QR code phishing (quishing) messages. These messages aim to redirect victims to a phishing website on their mobile devices (preferably BYOD), which are expected to be less protected than their work laptops or desktops. Phishing websites are disguised as Microsoft 365 login pages to steal user credentials.
  • NGate Android malware relays NFC data from a physical payment card to an attacker-controlled phone via a malicious app installed on the victim’s Android phone. The attacker then uses the data to emulate the card and withdraws cash from an ATM. NGate targets bank customers in Czechia.
  • PWA and WebAPK phishing campaigns target predominantly Czech but also Hungarian and Georgian banks’ customers on Android and iOS platforms. These novel techniques bypass triggering warning messages about third-party app installation while deceiving victims into installing fake apps. The progressive Web App (PWA) method targets both platforms, while the WebAPK method only applies to Android. Two different threat actors are actively using these techniques.
  • Quishing parking scams are on the rise in the UK. Through QR codes placed on the payment machines, victims are redirected to a phishing website impersonating a legitimate parking payment app.
  • Rocinante Android banking trojan abuses Android’s accessibility service to steal banking credentials and carry out on-device fraud. It is capable of keylogging, phishing attacks, and remote access sessions on the victim’s device. This malware masquerades as a security or banking app and is distributed through phishing websites. Rocinante primarily targets Brazilian banks.
  • SpyAgent Android spyware steals images from the victim’s device. It scans them on the server side and extracts cryptocurrency wallet recovery keys. Over 280 fake applications were detected in this malware campaign targeting users in South Korea since January.
  • The Telegram messaging app is banned on the official devices of government officials, military personnel, security and defense sector employees, and enterprises operating critical infrastructure in Ukraine due to cyberattacks, spreading phishing and malware, and geolocating users. Meanwhile, the South Korean police are investigating Telegram over the spread of sexually abusive deepfakes. Telegram swiftly removed the requested content from its platform.
  • TrickMo Android banking trojan is improved with new anti-analysis mechanisms such as malformed ZIP structure and JSONPacker. Its primary target remains banking applications across Europe, especially in Germany, but it also developed infostealer functionalities that may lead to identity theft. TrickMo abuses Android’s accessibility service like many others and performs overlay attacks.
  • Xeon Sender is another tool for launching SMS spam and smishing campaigns via legitimate SaaS provider APIs. It relies on valid user credentials rather than exploiting vulnerabilities. It can send bulk SMS through nine different SMS service providers.

Vulnerabilities & patches

  • Google patched an actively exploited privilege escalation vulnerability (CVE-2024-32896) for all devices in the security patch level 2024-09-01. It was only fixed for Pixel devices in the previous 2024-06-01 patch.
  • WhatsApp bug allows anyone to bypass the “View Once” privacy feature.
  • GitLab patched critical vulnerabilities (CVE-2024-6678 and CVE-2024-45409). All self-managed GitLab installations should be upgraded immediately.

Intelligence reports

  • Google’s Threat Analysis Group (TAG) reports that state-backed threat actors such as Russia’s APT29 use very similar iOS and Android n-day exploits previously used by commercial surveillance vendors. Although the patches were released some time ago, threat actors know they would still find unpatched devices.
  • Kaspersky’s IT threat evolution in the Q2 2024 Mobile Statistics report shows that unique Android banking trojan (ABT) installation packages increased by 11% compared to Q1 2024. The total number of attacks decreased due to the sharp drop in adware activity, while attacks against banking apps still grew.
  • Recorded Future’s ”Predator Spyware Infrastructure Returns Following Exposure and Sanctions” report indicates the enhanced operational security of Predator infrastructure, a sophisticated mercenary spyware for Android and iPhone devices.
  • Joker, Anubis, and Hydra were the top three mobile malwares in August, according to Check Point’s Most Wanted Malware report.
  • The Mythical Beasts project report reveals the connections between 435 entities across forty-two countries in the global spyware market. It provides a detailed analysis of the loosely regulated and largely unknown spyware market.
  • The FBI’s Cryptocurrency Fraud Report 2023 shows a staggering 45% increase in losses for cryptocurrency frauds.