With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.
Threat info
- Brokewell Android banking trojan has extensive device takeover capabilities, although it is still in the active development phase and getting updates daily. Like most Android banking malware, it can perform overlay attacks by abusing Android’s accessibility service. Additionally, cybercriminals behind the Brokewell operations developed a loader to bypass Android 13+ countermeasures against accessibility service abuse and open-sourced it.
- Dirty stream attack exploits a path traversal vulnerability found in popular Android applications, downloaded more than four billion times from the Google Play Store, that enables a malicious app to overwrite files in the target application’s home directory. Depending on the vulnerable app’s implementation, arbitrary code execution and token theft are also possible.
- LightSpy iOS spyware campaign targets Southern Asia and probably India. It steals personal documents and files from apps, stealthily records ambient sounds from the device’s microphone and takes pictures using the camera, monitors user activity, and retrieves sensitive data from the user’s secure storage.
- Masquerading as a well-known app is a widespread tactic for Android remote access trojans to trick victims into installing them. Some use on-device phishing as the main attack vector. They request accessibility service and device admin permissions. Fake login forms of targeted brands appear on the device screen from time to time to steal user credentials.
- Mercenary spyware attack warnings were sent to iPhone users in 92 countries by Apple. These sophisticated attacks are very targeted and often used for surveillance of journalists, activists, politicians, or diplomats by nation-states.
- SIM swapping lures are being offered to American telecommunications company employees to tempt them to perform illegal SIM swaps. Cybercriminals receive two-factor authentication codes sent to a victim afterward and take over the victim’s accounts.
- Smishing campaigns of unpaid toll scams are seen in three states of the USA.
- SoumniBot, an Android banking trojan, targets mobile banking users in Korea. Its developers applied unconventional obfuscation techniques to the manifest file, which led to evading detection of off-the-shelf tools. Notably, this banking trojan finds and exfiltrates digital certificates, such as those used to sign in to online banking accounts or execute transactions.
- Storm-0539 threat actor targets US retail corporate employees with sophisticated phishing attacks on their personal and work mobile devices. Once an employee’s credentials are compromised, adversaries access and gather information on the business network to identify the gift card business processes and pivot to specific employees whose accounts enable attackers to create fraudulent gift cards.
- Vultur Android banking trojan campaign targets mobile banking users in Finland.
- Wpeeper Android trojan utilizes compromised WordPress websites as a proxy to its actual command and control (C2) servers. This technique makes it difficult to track the C2 servers. Repackaged apps are used in the delivery of this malware to evade detection. A small implant in the repackaged app downloads the malicious payload. The attack campaign was aborted abruptly four days after observation; therefore, the intentions of the threat actor have not been truly understood yet.
Vulnerabilities & patches
- CISA adds CVE-2023-7028, an improper access control vulnerability, to its Known Exploited Vulnerabilities Catalog. It enables an attacker to trigger password reset emails to an attacker-controlled email address and take over the victim’s GitLab account. All GitLab installations need to be urgently patched. Cybercriminals could breach organizations and execute software supply chain attacks by exploiting this vulnerability.
- Android OS leaks DNS queries in certain scenarios even though Always-on VPN and Block connections without VPN options are enabled.
- 20 vulnerabilities in various applications and system components of Xiaomi devices are disclosed. Xiaomi users must apply the latest updates.
- Apple backported the fix for the actively exploited zero-day (CVE-2024-23296) to older iPhones in the iOS 16.7.8 release. This vulnerability allows attackers with arbitrary kernel read and write capabilities to bypass kernel memory protections. It was addressed with improved validation.
Intelligence reports
- The Recorded Future reports that the risk of a “mobile NotPetya” incident, due to a self-propagating mobile malware spread via zero-click exploits, has been growing fast.
- The Android Security and Privacy team banned 333,000 malicious developer accounts and prevented 2.28 million policy-violating apps from being published on the Google Play Store in 2023. These numbers increased by 92% and 59%, respectively. In addition, nearly 200K apps were rejected or rectified to stop misuse of sensitive permissions like location or SMS access in the background.
- Kaspersky’s Financial Cyberthreats in 2023 report underscores 3 main attack methods: phishing, PC malware, and mobile malware.
- Kaspersky presents the privacy risks of children’s mobile apps.
- The Citizen Lab’s report shows that 8 out of 9 vendor’s cloud-based Chinese pinyin keyboard apps have simple security flaws that an attacker can exploit to reveal the contents of users’ keystrokes in transit. Up to one billion users are estimated to be vulnerable.
- Which?, the largest consumer rights organization in the UK, published its assessment results on the websites and mobile apps of the 13 largest account providers in the UK. The highest scorers for mobile banking apps were HSBC (78%) and Barclays (74%).
- Anubis, AhMyth, and Cerberus were the top three mobile malware in March 2024, according to Check Point’s Most Wanted Malware Report.
- Doctor Web’s review of virus activity on mobile devices in the 2023 report states that they found over 400 malicious apps with total downloads of at least 428 million in the Google Play Store last year.
Salt Typhoon Exposes Critical Gaps in Mobile Security: CISA Reacts