With a special focus on mobile apps and connected, unmanaged devices, this Cybersecurity Threat Roundup is compiled by Verimatrix Cybersecurity researchers and data scientists. It includes links to notable threat advisories over the past 30 days, information on vulnerabilities and patches, and links to recent intelligence reports.
Threat info
- A new variant of GoatRAT android banking trojan which targets the PIX instant payment system in Brazil has been discovered.
- Chameleon is an emerging Android banking trojan which has targeted users in Poland and Australia since January 2023. It provides all basic functionalities of a banking trojan including overlay attacks and keylogging.
- DAAM Android botnet has been active since 2021. In addition to the rich set of spying features, it also provides a binding service which repackages legitimate apps with malicious code.
- Goldoson adware infiltrated more than 60 android apps in a supply chain attack. These apps were downloaded more than 100 million times in South Korea.
- Hiddad mobile malware was the third popular mobile malware in March 2023 according to Check Point Research. It repackages legitimate apps and then distributes them via third-party stores.
- Kyocera mobile printing app with more than a million installs has a vulnerability which can be abused to download malicious files or apps to the device without any user notification.
- Microsoft Threat Intelligence has linked the powerful iOS malware deployed by a zero-click malicious calendar invitation to the mobile spyware vendor QuaDream.
- Minecraft-like mobile video games, collectively downloaded more than 35 million times, were deleted from Google Play Store due to advertising fraud.
- NSO Group customers deployed at least three iOS 15 and iOS 16 zero-click exploit chains against civil society targets around the world in 2022 using the infamous spyware Pegasus according to Citizen Lab’s comprehensive investigation.
- Strava fitness app leaks location information of users, even if they’ve explicitly set up special in-app protection features.
- The Federal Communications Commission (FCC) and FBI in Denver issued a standard warning about data theft when one plugs their mobile device into a public charging station, as known as juice jacking.
- The Montana House of Representatives passed a bill to ban the TikTok app on all personal devices.
- WhatsApp, LinkedIn, Booking and many other very popular android applications are in danger of being compromised via highly privileged device migration tools. The reason behind this is that these apps do not invalidate or revalidate session cookies if app data is transferred from one device to another.
Vulnerabilities & patches
- Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution.
- CISA adds CVE-2023-28205 and CVE-2023-28206, two zero-day vulnerabilities exploited by spyware, to its known exploited vulnerabilities catalog. Both issues were address in iOS 16.4.1 and 15.7.5 versions.
- CISA adds CVE-2023-26083, a zero-day vulnerability abused by an unnamed spyware vendor as part of an exploit chain to break into Samsung’s Android smartphones. It was fixed in Arm Bifrost, Valhall and Avalon GPU Kernel Driver r43p0 version.
- CISA adds CVE-2023-20963 to its catalog of known exploited vulnerabilities. It’s an Android zero-day vulnerability exploited by the Pinduoduo app to spy on its own users. It was addressed in Android 2023-03-01 security patch level.
Intelligence reports
- VMX Labs published a detailed overview of the ever-growing overlay attacks on mobile apps.
- 92% of remote workers perform work tasks on personal mobile devices according to The State of Remote Work Security Report.
- 54% (7.5k) of the 14k U.S.-registered likely child-directed apps in the Apple App Store were found likely to be non-compliant with the Children’s Online Privacy Protection Act (COPPA). COPPA is a U.S. federal law to protect the privacy of children under the age of 13 on the internet.
- Conversational attacks, also known as pig butchering, were the fastest growing mobile threat in 2022.
- Mobile spyware continues to evolve. Researchers published here a technical analysis of two spyware attacks infecting iPhones.
- App threats were a contributing factor in 46% of the mobile-related security breaches according to the Verizon Mobile Security Index 2022 report.
- Android Security and Privacy team announces that Google banned 173,000 malicious developer accounts, prevented 1.43 million policy-violating apps from being published on Google Play Store, and stopped more than $2 billion worth of fraudulent and abusive transactions in 2022.
Salt Typhoon Exposes Critical Gaps in Mobile Security: CISA Reacts