With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.

Threat info

  • Anatsa Android banking trojan, also known as Teabot, spreads via Google Play Store. Two malicious apps (PDF Reader and QR Reader) with over 70K downloads were identified. These apps are initially benign and drop malicious Anatsa payloads later to evade detection. Upon installation, Anatsa exfiltrates sensitive banking credentials and financial information from the victim’s financial apps. Mostly overlay attacks and accessibility service abuse are used. Anatsa campaigns historically target mobile banking users in the US and UK; however, they have recently expanded to Germany, Spain, Finland, South Korea, and Singapore.
  • Antidot Android banking trojan was discovered. It is distributed as a Google Play update application supporting multiple languages. It can perform overlay attacks, keylogging, and remote device control (virtual network computing).
  • Arid Viper APT group embeds spyware into legitimate apps and employs these weaponized apps in espionage campaigns against targets in Egypt and Palestine. 
  • Bankbot Android banking trojan campaign targets mobile banking users in Uzbekistan.
  • CraxsRAT, an advanced variant of SpyNote, is used actively in Latin America to attack mobile banking and financial service apps. Threat actors misuse well-known bank and telecommunications brands to lure Android users into installing malicious fake apps.
  • GitCaught, a Russian-speaking threat actor, actively abuses legitimate internet services, such as GitHub, to distribute a collection of malware families. The malware used in the attack is determined depending on the victim device’s operating system and computer architecture. Octo Android banking trojan is used for Android platforms.
  • Mobile app source code repositories of the New York Times, including the popular Wordle game and Athletic sports news, were leaked in a data breach. Mobile app users must watch out for the malicious versions of these apps.
  • Operation Celestial Force deploys GravityRAT Android malware for espionage and surveillance operations against high-value targets in India. This malware campaign is run by the Pakistani threat actor, Cosmic Leopard.
  • pcTattletale stalkerware app is found to be installed in hotel check-in systems to steal guests’ reservation information. It is available for Windows and Android platforms to monitor device screens remotely. In addition to the malicious usage, the app’s backend API has a critical flaw that allows an attacker to exfiltrate the most recent screen recordings.
  • Smishing protections of telecom operators can be defeated by a homemade cellphone tower. Two suspects were arrested. This technique is considered a first of its kind in the UK.
  • SpyNote Android spyware masquerading as an Avast anti-virus app is distributed via legitimate-looking fake websites.
  • Storm-0539 threat actor targets US retail corporate employees with smishing messages on their personal and work mobile devices for gift and payment card fraud.
  • Vultur Android banking trojan disguised as security apps from well-known brands are used against Finnish mobile banking users.

Vulnerabilities & patches

  • Apple iOS 17.5.1 version patched a critical bug in the Photos library, which causes long-time deleted photos to come back in the Photos app. According to Apple, these are only the photos that once had database corruption.
  • A zero-day vulnerability in the TikTok app is exploited for account takeover. CNN, Sony, and Paris Hilton’s accounts were compromised.
  • CISA adds CVE-2024-4610, ARM Mali GPU kernel driver use-after-free vulnerability, to its Known Exploited Vulnerabilities Catalog. Arm patched the flaw in the r41p0 version of the Bifrost and Valhall GPU kernel drivers.
  • Google patched an actively exploited vulnerability (CVE-2024-32896) for Pixel devices in the security patch level 2024-06-01. It fixes a previously incorporated partial solution for CVE-2024-29748. Although the fix is only available for Pixel models, the issue affects all Android devices.

Intelligence reports