With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.

Threat info

  • Authy two-factor authentication (2FA) app user data, including phone numbers, was leaked due to an unauthenticated API endpoint. All users must update the app and watch out for phishing and smishing attacks. Later in the month, AT&T also announced a mobile customers’ call logs leak from a third-party data breach that exposed a large set of valid phone numbers.
  • AzraelBot Android banking trojan (ABT) targets mobile banking users globally with manual and automatic overlay attacks.
  • Craxs RAT Android malware campaign targeting mobile banking users in Singapore is revealed. The campaign distributes fake mobile apps via phishing websites, impersonating local online shopping platforms and many small businesses.
  • GuardZoo Android surveillanceware, attributed to a Yemeni, Houthi-aligned threat actor, targets military personnel in the Middle East. It can install a second-stage payload on the victim’s device. The initial malware delivery method is via WhatsApp, WhatsApp Business, and direct browser download.
  • Konfety, a massive ad fraud campaign, uses a novel evil twin apps method to hide the fraudulent traffic.
  • Medusa Android banking trojan (ABT), also known as TangleBot, evolved to a more compact version to evade detections while adding new capabilities like overlay attacks and uninstalling applications. It was observed that threat actors distributing Medusa ABT started to incorporate droppers into their delivery processes. Five Medusa campaigns targeting users in Turkey, Canada, the United States, Spain, France, Italy, and the United Kingdom were discovered.
  • Mercenary spyware attack warnings were sent to iPhone users in 98 countries by Apple. A similar alert was sent to users in 92 countries in April. These sophisticated attacks are targeted, widespread, and often used for surveillance of journalists, activists, politicians, or diplomats by nation-states.
  • OilAlpha threat group surveils humanitarian organizations in Yemen and, possibly, the broader Middle East with SpyNote Android spyware variants.
  • Quishing attacks, malicious QR codes to redirect mobile users to phishing websites or make them download malware, have rapidly increased in 2024. A recent quishing campaign targets Chinese nationals with fake official government documents and deceives victims into disclosing their banking credentials for identity verification.
  • Rafel RAT, an open-source remote administration tool, is often misused by threat actors for extortion (ransomware) and sensitive data theft (spyware), like one-time password (OTP) theft. Rafel RAT campaigns mainly target Android users in the United States, China, and Indonesia, but victims were found in other countries as well. Most victim devices (87.5%) run deprecated Android versions.
  • Singpass accounts, the trusted digital identity for Singapore citizens and residents, are being stolen and sold on the dark web. The total number of underground vendors offering stolen Singaporean identity data has increased by 230%. It is observed that cybercriminals use Nexus ABT to steal Singpass credentials from Android devices, among other sources.
  • Smishing attacks have increased by 7% in the US. Presidential election 2024-related attacks are on the rise.
  • Smishing Triad, a Chinese-speaking threat actor specializing in smishing, impersonates postal companies such as India Post, Singapore Post, La Poste, and many more in their latest campaign. They use compromised or generated iCloud accounts to distribute the phishing URLs with iMessages.
  • Snowblind Android malware utilizes a repackaging technique relying on Linux kernel feature seccomp to bypass anti-tamper countermeasures of apps and hide its accessibility service abuse. It targets Southeast Asia.
  • SpyMax RAT disguised as the Telegram app was unmasked.
  • SpyNote Android spyware samples masquerading as legitimate apps such as Google Translate, Temp Mail, and Deutsche Postbank were discovered in open directories.
  • Transparent Tribe APT group updated CapraRAT to be able to target newer Android versions. The latest samples show that threat actors continue to use video browsing apps to distribute spyware and surveil their targets.

Vulnerabilities & patches

  • Apple patched an authentication flaw (CVE-2024-27867) in AirPods firmware that enables an attacker in Bluetooth range to connect AirPods and eavesdrop on conversations. 
  • A severe 5G AKA Bypass vulnerability, which allows an attacker to monitor victims’ Internet traffic and send phishing SMS messages, is discovered in one of the globally used 5G basebands. 
  • Popular iOS dependency manager CocoaPods patched three vulnerabilities (CVE-2024-38366, CVE-2024-38367, and CVE-2024-38368). These vulnerabilities can be exploited to acquire ownership of many unclaimed projects and add malicious code to thousands of iOS applications (supply chain attacks).
  • GitLab patched critical vulnerabilities (CVE-2024-5655 and CVE-2024-6385) that allow an attacker to run a pipeline as another user under certain circumstances.

Intelligence reports

  • The ESET Threat Report H1 2024 indicates steady Android banking trojan and cryptostealer detections with the continuous evolution of malware families and their methods over the past two years. It also reports two significant developments in the mobile threat landscape: A sophisticated financial threat in Southeast Asia, GoldDiggerPlus ABT, expanded to Latin America and South Africa, and the GoldPickaxe iOS version is distributed through a complex social engineering scheme that persuades victims to install a Mobile Device Management (MDM) profile.
  • Anubis, AhMyth, and Hydra in May and Joker, Anubis, and AhMyth in June were the top three mobile malwares according to Check Point’s Most Wanted Malware Report.