As mobile apps and connected, unmanaged devices continue to dominate both personal and business markets, the need for comprehensive cybersecurity to protect these critical digital assets has never been more urgent. 

The following mobile app threat watchlist, compiled by the data scientists at VMX Labs, presents an overview of 100 of the most significant mobile app threats found so far in 2024.

Mobile App Threats #1-25

  1. BingoMod Android banking trojan abuses Android’s accessibility service to carry out on-device fraud. It uses keylogging, SMS interception, and interactive remote screen-sharing to steal funds from the victim’s banking accounts. It can also perform on-device phishing using webinjects. This malware is still under development.
  2. Blankbot Android banking trojan, like many others, abuses Android’s accessibility service. It supports major banking trojan features such as injections, keylogging, screen recording, and on-device fraud. It can create custom injects and, likely, target mobile banking users in Turkey. This malware is still under development.
  3. Candiru’s mercenary spyware was used in an attempt to gain access to the mobile phone of a European Parliament member.
  4. Chameleon Android banking trojan, disguised as the Customer Relationship Management (CRM) app of a Canadian restaurant chain operating internationally, targets employees of the chain in Canada and Europe (possibly in the UK and Spain). Cybercriminals likely aim to infect a corporate employee with access to corporate banking accounts to steal bigger amounts at once. Financial organizations should address the higher risk of mobile malware attacks against business accounts accessed from mobile devices.
  5. Daggerfly threat group, also known as Evasive Panda and Bronze Highland, has updated its toolset. The new tools were first observed in attacks against organizations in Taiwan. Daggerfly uses a single, shared library or framework to create malware for different platforms, including Android OS. It is also capable of trojanizing Android apps.
  6. ERIAKOS scam e-commerce campaign targets Facebook users, who access scam websites exclusively with mobile devices via ad lures. This is likely to protect the scam websites from web scanners.
  7. EvilVideo, a vulnerability in the Telegram app for Android, enables a malicious app to appear as a video file on the victim’s chat view. Thus, it increases the chances of deceiving Telegram users into installing malicious apps. This flaw was fixed in the app version 10.14.5.
  8. Gigabud and GoldDigger Android banking trojans are most likely developed by the same threat actor due to the numerous resemblances in their source codes. The threat actor has recently expanded its operations from Southeast Asia to other regions, including Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia.
  9. GXC Team cybercriminal group mainly develops phishing kits and Android SMS-stealer malware and offers a subscription model for accessing them. Its current targets are mostly Spanish banks; however, phishing kits for a wide variety of companies (tax and governmental services, e-commerce, banks, and cryptocurrency exchanges) in the United States, the United Kingdom, Slovakia, and Brazil are also available.
  10. Location-based dating (LBD) apps contain sensitive data. Researchers found out that 6 out of 15 LBD apps leak the exact location of users, which enables physical threats to users’ safety.
  11. LianSpy Android spyware targets users in Russia. It obtains root privileges and presents novel features compared to financially motivated spyware, which probably indicates a mercenary background. It exfiltrates sensitive data from the victim’s device, personal files, and instant messaging apps.
  12. Life360 international family location safety app’s user data, including phone numbers, was leaked, possibly due to a flaw in the login API endpoint. 442,519 users were affected.
  13. Mandrake Android spyware has remained undetected in the Google Play Store since 2022 and has been downloaded 32k times in total. Most downloads were from Canada, Germany, Italy, Mexico, Spain, Peru, and the UK. This latest version of Mandrake is equipped with improved defense evasion and anti-analysis techniques. Its main objectives are stealing the user credentials and installing the next-stage malicious apps.
  14. Mobile Guardian, a device management app suite widely used in schools in Singapore, had a security breach. The cybercriminals withdrew iOS devices from the platform and remotely wiped pupils’ learning devices. It is about 13k devices in Singapore.
  15. Ratel Android spyware masquerading as Hamster Combat clicker game targets Android users in Russia. The spyware is distributed via Telegram. It steals notifications from over 200 apps and subscribes to premium services using the victim’s funds. It can also check the victim’s bank balance in a well-known bank.
  16. Smishing Triad, a Chinese-speaking threat actor specializing in smishing, impersonates India Post in their latest campaign to steal debit/credit card information from iPhone users in India. They send victims an iMessage with a URL to the phishing website, which collects a delivery fee.
  17. SMS-stealer malware campaigns are on the rise. Threat actors abuse top banking brands in India to lure mobile banking users into installing Android malware.
  18. An SMS-stealer malware campaign, spreading across many countries, is found to be the backbone of a virtual phone number service. Such services are commonly used for SMS verification by cybercriminals to register fake accounts on legitimate websites and apps.
  19. Authy two-factor authentication (2FA) app user data, including phone numbers, was leaked due to an unauthenticated API endpoint. All users must update the app and watch out for phishing and smishing attacks. Later in the month, AT&T also announced a mobile customers’ call logs leak from a third-party data breach that exposed a big set of valid phone numbers.
  20. AzraelBot Android banking trojan (ABT) targets mobile banking users globally with manual and automatic overlay attacks.
  21. A Craxs RAT Android malware campaign targeting mobile banking users in Singapore is revealed. The campaign distributes fake mobile apps via phishing websites impersonating local online shopping platforms and many small businesses.
  22. GuardZoo Android surveillanceware, attributed to a Yemeni, Houthi-aligned threat actor, targets military personnel in the Middle East. It can install a second-stage payload on the victim’s device. The initial malware delivery method is via WhatsApp, WhatsApp Business, and direct browser download.
  23. Konfety, a massive ad fraud campaign, uses a novel evil twin apps method to hide the fraudulent traffic.
  24. Medusa Android banking trojan (ABT), also known as TangleBot, evolved to a more compact version to evade detections while adding new capabilities like overlay attacks and uninstalling applications. It was observed that threat actors distributing Medusa ABT started to incorporate droppers in their delivery processes. Five Medusa campaigns targeting users in Turkey, Canada, the United States, Spain, France, Italy, and the United Kingdom were discovered.
  25. Mercenary spyware attack warnings were sent to iPhone users in 98 countries by Apple. A similar alert was sent to users in 92 countries in April. These sophisticated attacks are targeted, widespread, and often used for surveillance of journalists, activists, politicians, or diplomats by nation-states.

Mobile App Threats #26-50

  1. OilAlpha threat group surveils humanitarian organizations in Yemen and, possibly, the broader Middle East with SpyNote Android spyware variants.
  2. Quishing attacks, malicious QR codes to redirect mobile users to phishing websites or make them download malware, have rapidly increased in 2024. A recent quishing campaign targets Chinese nationals with fake official government documents and deceives victims into disclosing their banking credentials for identity verification.
  3. Rafel RAT, an open-source remote administration tool, is often misused by threat actors for extortion (ransomware) and sensitive data theft (spyware) like one-time password (OTP) theft. Rafel RAT campaigns mainly target Android users in the United States, China, and Indonesia, but victims were found in other countries as well. Most victim devices (87.5%) run deprecated Android versions.
  4. Singpass accounts, the trusted digital identity for Singapore citizens and residents, are being stolen and sold on the dark web. The total number of underground vendors offering stolen Singaporean identity data has increased by 230%. It is observed that cybercriminals use Nexus ABT to steal the SingPass credentials from Android devices, among other sources.
  5. Smishing attacks have increased by 7% in the US. The presidential election 2024-related attacks are on the rise.
  6. Smishing Triad, a Chinese-speaking threat actor specializing in smishing, impersonates postal companies such as India Post, Singapore Post, La Poste, and many more in their latest campaign. They use compromised or generated iCloud accounts to distribute the phishing URLs with iMessages.
  7. Snowblind Android malware utilizes a repackaging technique relying on Linux kernel feature seccomp to bypass anti-tamper countermeasures of apps and hide its accessibility service abuse. It targets Southeast Asia.
  8. SpyMax RAT disguised as the Telegram app was unmasked.
  9. SpyNote Android spyware samples masquerading as legitimate apps such as Google Translate, Temp Mail, and Deutsche Postbank were discovered in open directories.
  10. Transparent Tribe APT group updated CapraRAT to be able to target newer Android versions. The latest samples show that the threat actor continues to use video browsing apps to distribute spyware and surveil its targets.
  11. Anatsa Android banking trojan, also known as Teabot, spreads via Google Play Store. Two malicious apps (PDF Reader and QR Reader) with over 70K downloads were identified. These apps are initially benign and drop malicious Anatsa payloads later to evade detections. Upon installation, Anatsa exfiltrates sensitive banking credentials and financial information from the victim’s financial apps. Mostly overlay attacks and accessibility service abuse are used. Anatsa campaigns historically target mobile banking users in the US and UK; however, they have recently expanded to Germany, Spain, Finland, South Korea, and Singapore.
  12. Antidot Android banking trojan was discovered. It is distributed as a Google Play update application supporting multiple languages. It can perform overlay attacks, keylogging, and remote device control (virtual network computing).
  13. Arid Viper APT group embeds spyware into legitimate apps and employs these weaponized apps in espionage campaigns against targets in Egypt and Palestine.
  14. Bankbot Android banking trojan campaign targets mobile banking users in Uzbekistan.
  15. CraxsRAT, an advanced variant of SpyNote, is used actively in Latin America to attack mobile banking and financial service apps. Threat actors misuse well-known bank and telecommunications brands to lure Android users into installing malicious fake apps.
  16. GitCaught, Russian-speaking threat actors actively abuse legitimate internet services such as GitHub to distribute a collection of malware families. The malware used in the attack is determined depending on the victim device’s operating system and computer architecture. Octo Android banking trojan is used for Android platforms.
  17. Mobile app source code repositories of the New York Times, including the popular Wordle game and Athletic sports news, were leaked in a data breach. Mobile app users must watch out for the malicious versions of these apps.
  18. Operation Celestial Force deploys GravityRAT Android malware for espionage and surveillance operations against high-value targets in India. This malware campaign is run by the Pakistani threat actor, Cosmic Leopard.
  19. The pcTattletale stalkerware app is found to be installed in hotel check-in systems to steal guests’ reservation information. It is available for Windows and Android platforms to monitor device screens remotely. In addition to the malicious usage, the app’s backend API has a critical flaw that allows an attacker to exfiltrate the most recent screen recordings.
  20. Smishing protections of telecom operators can be defeated by a homemade cellphone tower. Two suspects were arrested. This technique is considered the first of its kind in the UK.
  21. SpyNote Android spyware masquerading as an Avast anti-virus app is distributed via legitimate-looking fake websites.
  22. Storm-0539 threat actor targets US retail corporate employees with smishing messages on their personal and work mobile devices for gift and payment card fraud.
  23. Vultur Android banking trojans disguised as security apps from well-known brands are used against Finnish mobile banking users.
  24. Brokewell Android banking trojan has extensive device takeover capabilities, although it is still in the active development phase and getting updates daily. Like most Android banking malware, it can perform overlay attacks by abusing Android’s accessibility service. Additionally, cybercriminals behind the Brokewell operations developed a loader to bypass Android 13+ countermeasures against accessibility service abuse and open-sourced it.
  25. Dirty stream attack exploits a path traversal vulnerability found in popular Android applications, downloaded more than four billion times from the Google Play Store, that enables a malicious app to overwrite files in the target application’s home directory. Depending on the vulnerable app’s implementation, arbitrary code execution and token theft are also possible.

Mobile App Threats #51-75

  1. LightSpy iOS spyware campaign targets Southern Asia and probably India. It steals personal documents and files from apps, stealthily records ambient sounds from the device’s microphone and takes pictures using the camera, monitors user activity, and retrieves sensitive data from the user’s secure storage.
  2. Masquerading as a well-known app is a widespread tactic for Android remote access trojans to trick victims into installing them. Some use on-device phishing as the main attack vector. They request accessibility service and device admin permissions. Fake login forms of targeted brands appear on the device screen from time to time to steal user credentials.
  3. Mercenary spyware attack warnings were sent to iPhone users in 92 countries by Apple. These sophisticated attacks are very targeted and often used for surveillance of journalists, activists, politicians, or diplomats by nation-states.
  4. SIM swapping lures are being offered to American telecommunications company employees to tempt them to perform illegal SIM swaps. Cybercriminals receive two-factor authentication codes sent to a victim afterward and take over the victim’s accounts.
  5. Smishing campaigns of unpaid toll scams are seen in three states of the USA.
  6. SoumniBot, an Android banking trojan, targets mobile banking users in Korea. Its developers applied unconventional obfuscation techniques to the manifest file, which led to evading detection of off-the-shelf tools. Notably, this banking trojan finds and exfiltrates digital certificates, such as those used to sign in to online banking accounts or execute transactions.
  7. Storm-0539 threat actor targets US retail corporate employees with sophisticated phishing attacks on their personal and work mobile devices. Once an employee’s credentials are compromised, adversaries access and gather information on the business network to identify the gift card business processes and pivot to specific employees whose accounts enable attackers to create fraudulent gift cards.
  8. Vultur Android banking trojan campaign targets mobile banking users in Finland.
  9. Wpeeper Android trojan utilizes compromised WordPress websites as a proxy to its actual command and control (C2) servers. This technique makes it difficult to track the C2 servers. Repackaged apps are used in the delivery of this malware to evade detection. A small implant in the repackaged app downloads the malicious payload. The attack campaign was aborted abruptly four days after observation; therefore, the intentions of the threat actor have not been truly understood yet.
  10. Coper and Octo, the Exobot Android banking trojan descendants, are being used actively to target online banking users in Portugal, Spain, Turkey, and the United States. They implement standard attack techniques of advanced Android banking malware and abuse Android’s accessibility service. The notable techniques are overlay attacks, keylogging, screen sharing for remote access, and controlling SMS and push notifications.
  11. CriminalMW Android banking trojan targets 10 Brazilian banks through the PIX instant payment platform. This fast-evolving threat is the third edition of the malware family, previously GoatRAT and FantasyMW, from the same threat actor in a year. It mainly uses an Automated Transfer System (ATS) enabled by accessibility service abuse to execute a PIX transaction from the victim’s banking app. It is offered on a rental basis for $5000 per month.
  12. eXotic Visit espionage campaign deploys open-source XploitSPY malware to target high-risk individuals mainly in Pakistan and India. It masquerades as a legitimate messaging app and sometimes manages to infiltrate the Google Play Store. Very low download numbers in the Play Store indicate a targeted nature of this campaign.
  13. A fake Leather Wallet app was found in the Apple App Store. It is a crypto drainer designed to steal the victim’s passphrase and transfer all digital assets to a cybercriminal-controlled wallet. The fake app was removed from the official store after being available for over two weeks. Crypto drainers have become very common in the last few years with the increased popularity of cryptocurrencies, and their presence in the official app stores is alarming.
  14. FlexStarling Android spyware is distributed by the threat actor Starry Addax to target human rights activists in North Africa.
  15. Hornet dating app used to leak the location of its users within 10m accuracy even if they don’t enable sharing their location. Recent updates reduced it to 50m location accuracy to mitigate the risk.
  16. Multi-factor authentication fatigue attacks have been reported by several iPhone users recently. It turns out that a bug in the password reset feature enabled attackers to send a flood of Apple ID password reset notifications.
  17. Pegasus commercial spyware continues to be a primary tool to spy on high-risk iPhone users.
  18. PixPirate, a specialized Android banking trojan targeting the PIX instant payment platform in Brazil, carries out a new defense evasion technique to suppress its launcher icon from being displayed to the victim. Android 10 introduced countermeasures to prevent malicious applications from suppressing their launcher icon, but threat actors found a new way to circumvent these changes.
  19. PROXYLIB operation discovered 28 malicious VPN apps in the Google Play Store that turn users’ phones into proxy services without informing them. This is a common monetization technique for free VPN apps, and cybercriminals usually purchase these proxy services to hide their operations.
  20. Venmo, a popular payment app, is being misused to distribute phishing emails.
  21. Vultur, an Android banking trojan, has a new variant that offers better control of the infected device by abusing the accessibility service and improved defense evasion techniques. A significant new technique to keep it under the radar is to use the official Android Accessibility Suite’s package name for its accessibility service.
  22. Anatsa, an Android banking trojan also known as TeaBot, has expanded to new countries in a recent campaign. In addition to the previous targets of the UK, Germany, and Spain, Anatsa is now seen in Czechia, Slovakia, and Slovenia. It abuses Android’s Accessibility service and executes fraudulent transactions within the victim’s device.
  23. GoldPickaxe, the latest variant of the GoldDigger Android banking trojan family from the GoldFactory threat group, has become more powerful with the capability of targeting both Android and iOS platforms. The threat actor developed two different versions of the malware to be able to attack mobile banking users in Thailand and probably Vietnam, regardless of the platform. Most notably, it presents emerging techniques to bypass the newly introduced facial biometric verification security measure used in banking transactions in Thailand. The Android version of the trojan abuses the Accessibility service and performs overlay attacks.
  24. I-Soon, a contractor for Chinese state agencies for foreign hacking and espionage campaigns, had a security breach. A rich collection of internal documents showing the services that the tech company offers, including spying on Android and iOS devices, was leaked.
  25. Joker, an Android RAT also known as Copybara, has been used in an active attack campaign targeting Spain, Italy, and the UK. Victims are directed to a phishing website impersonating famous banks, and they sideload a fake banking app with the help of smishing and vishing social engineering techniques. This app carries the Joker trojan and performs on-device fraud (ODF), which does not leave traditional risk traces behind and poses a real challenge for anti-fraud systems in financial institutions. It abuses Android’s Accessibility service and performs standard attacks like overlay, keylogging, and remote control (VNC).

Mobile App Threats #76-100

  1. Samecoin, an attack campaign that tricks Israeli citizens by impersonating the Israeli National Cyber Directorate, distributes an Android malicious app and wipes the victims’ mobile phones.
  2. Smart ski and bike helmet apps from a popular brand have a simple security design flaw that exposes their users’ real-time location data and audio chats.
  3. SpyNote Android RAT spreads via fake video conferencing apps impersonating Google Meet, Skype, and Zoom in a new attack campaign. All websites used in the distribution of fake apps were hosted on the same IP address, and all content was written in Russian, which provides an insight into the people being targeted in this campaign.
  4. Teabot, an Android banking trojan also known as Anatsa, increased its activity in several European countries. It spreads through a dropper app in the Google Play Store and performs account takeover (ATO) fraud to steal from its victims by misusing the Accessibility permissions.
  5. The VoltSchemer attack demonstrates a novel way for injecting inaudible voice commands into a charging smartphone’s voice assistant by just manipulating the power source of the wireless charger.
  6. A copycat of the LastPass mobile app was found in the Apple App Store. The fraudulent app is called LassPass Password Manager, and it has already been removed from the official store. Password manager apps store user credentials, and thus they are top targets of cybercriminals.
  7. Apple’s AirDrop feature is allegedly decoded by the Beijing Wangshendongjian Judicial Appraisal Institute. The forensic lab built a tool for Chinese authorities that deciphers the AirDrop sender’s phone number and email address from the device logs on the recipient’s iPhone. It uses rainbow tables to reveal the sender’s information.
  8. Fake Scameter mobile app is used to scam Hongkongers. Ironically, the original app is designed to help the public identify scams.
  9. iOS apps can abuse push notifications to forward analytics data and device information. iOS does not allow apps to run in the background, but it allows them to process the push notifications for a short time before presenting them to the users. It was discovered that some data-hungry apps use this time to collect and report data, which can be used for fingerprinting and tracking the users even if they are not using the app at all.
  10. MavenGate is a recently discovered supply chain attack that can infect Java and Android applications through unmaintained and abandoned dependencies. Any library is tied to a domain based on its name in Maven products, including the famous build tool Gradle. Upon the expiration of a project domain, a malicious actor can re-register that domain and take over ownership of the project. Consequently, a malicious version of the library can be distributed as a new release or replace an existing release.
  11. Moqhao, also known as XLoader, is an Android malware deployed by the Roaming Mantis campaign. The latest variant has a new capability. It automatically launches after installation without user interaction. This variant targets Android users mainly in Japan and South Korea, but also in France, Germany, and India. It attacks victims by delivering phishing messages for financial gain.
  12. Romance scams increased by 22% last year. £6,937 was stolen on average per victim.  Social media and dating apps are usually misused by romance scammers to lure their victims.
  13. The unauthenticated keystroke injection attack in Bluetooth can trigger a factory reset and remotely wipe data on a mobile phone. The Bluetooth vulnerability that enables this attack has been fixed for only newer Android and iOS devices.
  14. Two US insurance firms informed 66,000 people that their personal information may have been stolen in SIM-swapping attacks. App-based two-factor authentication protects against this attack.
  15. VajraSpy, an Android spyware developed by the Patchwork APT, steals contacts, files, call logs, and SMS messages. Some advanced variants can also steal WhatsApp and Signal messages, record calls, and take photos. Patchwork distributes trojanized apps via the Google Play Store and third-party app stores to target users in Pakistan.
  16. Wizz app, a social media app for teenagers with approximately 20 million active users, has been removed from the Apple App Store and the Google Play Store due to financial sextortion scams targeting its users.
  17. Autospill is a new attack on Android that steals login credentials while a password manager automatically fills the saved credentials into the login page loaded in WebView. WebView is a web browser embedded in native apps to render web pages. It ensures a seamless user experience. Most of the Android password managers are vulnerable to this attack. All password managers under test are found to be vulnerable when Javascript is enabled in WebView.
  18. BLUFFS (Bluetooth Forward and Future Secrecy Attacks and Defenses) breaks Bluetooth sessions’ forward secrecy. It is composed of six different attacks exploiting architectural flaws that are independent of the hardware model and software version. Various models of iPhone, Pixel, Mi, and Galaxy smartphones are affected.
  19. Chameleon Android banking trojan (ABT) has a new variant that adds Italy and the UK to its existing targets of Australia and Poland. This improved variant has modified user instructions to manually circumvent the Android 13 restricted settings countermeasure and grant Accessibility service permissions to be abused. It also implements an alternative approach to detect the foreground application, which triggers the overlay attack in the absence of Accessibility service permissions. Chameleon ABT is an active threat evolving with improved defenses.
  20. Fake lockdown mode research demonstrates a proof-of-concept post-exploitation tampering technique. It enables malware to deceive victims that their iPhones are in lockdown mode.
  21. Malicious ChatGPT agents can exfiltrate sensitive data in conversations to third-party servers without user consent. OpenAI has already implemented a fix for the ChatGPT web app. iOS (and probably Android) apps are not patched yet.
  22. Operation Triangulation disclosed the last exploit used in the attack chain spying on the iPhones of Kaspersky security researchers. This is an undocumented hardware feature that provides direct memory access to the cache. It is still unknown how the attackers discovered this feature.
  23. Smishing Triad group is a Chinese-speaking threat actor specializing in smishing. In their latest campaign, they impersonate the United Arab Emirates Federal Authority for Identity and Citizenship to steal personally identifiable information (PII) and credit card data from UAE residents and foreigners living in or visiting the country.
  24. SpyLoan, a family of malicious loan apps, has surged in 2023. These apps exploit people in need with high-interest loans and spy on them to blackmail and collect the funds. It is a digital loan shark scheme that targets a broader audience by using technology. Since it is possible to access sensitive user information through mobile apps, there is always an app involvement in this scheme. Some of these apps even impersonate well-known brands of financial service companies.
  25. Xamalicious is an Android adware that has been downloaded more than 327,000 times from the Play Store. It abuses Android’s Accessibility service to click ads and download apps without user content. It is made with the Xamarin framework, which brings another level of obfuscation.