With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.

Threat info

  • ErrorFather campaign distributes a new Cerberus Android banking trojan variant. It can perform overlay attacks, keylogging, and VNC (screen sharing). This variant implements a multi-stage deployment to evade detection and utilizes a domain generation algorithm to increase resiliency against C2 server takedowns. 
  • Hardcoded and unprotected cloud service credentials are found in popular iOS and Android apps with millions of downloads. This flaw exposes critical infrastructure, e.g. Amazon Web Services (AWS) and Microsoft Azure, to potential attacks.
  • The LightSpy iOS implant highlights the importance of keeping systems up-to-date. It utilizes n-day exploits to deliver payloads and escalate privileges. This implant uses a rootless jailbreak that doesn’t survive a reboot. Periodic reboots might be helpful. Threat actors behind the LightSpy are likely located in China.
  • The Lounge Pass scam campaign targets air travelers in Indian airports with Android SMS stealer malware. The fraudulent lounge app exfiltrates the victim’s SMS messages containing OTPs. Over 450 people were victimized resulting in a loss of more than INR 9 lakhs (approx. $11,000).
  • The Necro trojan is discovered in the Google Play Store. The cumulative download counts of the infected apps are over 11 million. It can commit ad fraud, download and run additional code, install apps, create a tunnel through the infected device, and potentially subscribe to premium services. Notably, its loader uses steganography to hide the second-stage payloads. Necro has also been detected outside the official store in the modified versions of Spotify, Minecraft, and other popular apps.
  • Octo2, the new variant of Octo (also known as ExobotCompact), started to spread in Europe. This variant offers increased stability of remote-control sessions during device takeover (DTO) and improved evasion and anti-analysis techniques. The previous Octo version has been in the wild for a while and was completely uncovered after its source code leak.
  • Quishing attacks target electric car owners in Europe. Fraudsters stick malicious QR codes on top of legitimate ones in charging stations and redirect victims to phishing payment websites. Notably, there are claims that criminals might be using jammers to disrupt victims’ payment trials from the charging app, which ultimately leads to scanning the fake QR code.
  • SilentSelfie, a watering hole campaign on Kurdish websites, distributes an Android spyware app to the selected users to record their images from the front camera.
  • SpyNote Android malware samples, DDoS attack tools, and phishing pages impersonating well-known brands were discovered inside a cybercriminal’s server. Additionally, phishing pages containing references to EagleSpy Android RAT indicate the possibility of malware usage other than SpyNote, and ransom notes in the server strongly suggest involvement in ransomware attacks.
  • Strava sports social media app can be used to track three of the world’s most important leaders. They don’t use the app, but their security guards do.
  • TrickMo Android banking trojan collects user credentials from a wide range of mobile apps on infected devices. The IP geolocation analysis shows that victims are mostly from Canada, the United Emirates, Turkey, and Germany.
  • UNC5812, a suspected Russian hybrid espionage and influence operation against Ukraine’s mobilization efforts, distributes commercially available CraxsRAT Android spyware.
  • UniShadowTrade, a collection of fake trading apps built with the UniApp framework, targets iOS and Android users in so-called pig butchering scams in Asia-Pacific, Europe, the Middle East, and Africa. In pig butchering, cybercriminals lure victims into investing in high-return trades, initially letting them make high profits, but eventually stealing all their funds. Since such apps behave like typical trading apps, they remain undetected in conventional malware scans.
  • The fake WalletConnect app in Google Play drained over $70,000 worth of cryptocurrency from its victims. WalletConnect is an open-source protocol that connects cryptocurrency wallets to decentralized applications and enables interaction without sharing the wallets’ private keys.

Vulnerabilities & patches

  • Apple patched a VoiceOver accessibility feature vulnerability (CVE-2024-44204) and a media session vulnerability (CVE-2024-44207) in the iOS 18.0.1 release. The former could lead to reading the saved passwords aloud and the latter causes a few seconds of audio recording before the microphone indicator is turned on.
  • Qualcomm patched a use-after-free bug (CVE-2024-43047) in DSP Service that leads to memory corruption. There are indications that this flaw may be under limited, targeted exploitation.
  • Samsung patched an actively exploited zero-day vulnerability (CVE-2024-44068) in the October security update. This use-after-free flaw in the mobile processor leads to privilege escalation.

Intelligence reports

  • Joker, Anubis, and Hiddad were the top three mobile malware in September according to Check Point’s Most Wanted Malware report.
  • Zscaler ThreatLabz’s 2024 Mobile, IoT, and OT Threat Report found that mobile threats are becoming more targeted and sophisticated. The report shows a 29% increase in mobile banking malware attacks and the most active families regarding transaction counts are Vultur, Hydra, Ermac, Anatsa (Teabot), Coper (Octo), and Nexus, respectively. It also indicates a drastic 111% increase in mobile spyware attacks.
  • Dr. Web reports an increased malicious activity of fake apps and adware in Q3 2024. It presents the samples found in Google Play. The report also shows Android banking trojans targeting the users of an Indonesian bank and over a million backdoor-infected Android TV boxes in 197 countries.