With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.

Threat info

  • BingoMod Android banking trojan abuses Android’s accessibility service to carry out on-device fraud. It uses keylogging, SMS interception, and interactive remote screen-sharing to steal funds from the victim’s banking accounts. It can also perform on-device phishing using webinjects. This malware is still under development. 
  • Blankbot Android banking trojan, like many others, abuses Android’s accessibility service. It supports major banking trojan features such as injections, keylogging, screen recording, and on-device fraud. It can create custom injects and, likely, target mobile banking users in Turkey. This malware is still under development.
  • Candiru’s mercenary spyware was used in an attempt to gain access to the mobile phone of a European Parliament member.
  • Chameleon Android banking trojan, disguised as the Customer Relationship Management (CRM) app of a Canadian restaurant chain operating internationally, targets employees of the chain in Canada and Europe (possibly in the UK and Spain). Cybercriminals likely aim to infect a corporate employee with access to corporate banking accounts to steal bigger amounts at once. Financial organizations should address the higher risk of mobile malware attacks against business accounts accessed from mobile devices.
  • Daggerfly threat group, also known as Evasive Panda and Bronze Highland, has updated its toolset. The new tools were first observed in attacks against organizations in Taiwan. Daggerfly uses a single, shared library or framework to create malware for different platforms, including Android OS. It is also capable of trojanizing Android apps
  • ERIAKOS scam e-commerce campaign targets Facebook users, who access scam websites exclusively with mobile devices via ad lures. This is likely to protect the scam websites from web scanners.
  • EvilVideo, a vulnerability in the Telegram app for Android, enables a malicious app to appear as a video file on the victim’s chat view. Thus, it increases the chances of deceiving Telegram users into installing malicious apps. This flaw was fixed in the app version 10.14.5.
  • Gigabud and Golddigger Android banking trojans are most likely developed by the same threat actor due to the numerous resemblances in their source codes. The threat actor has recently expanded its operations from Southeast Asia to other regions, including Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia.
  • GXC Team cybercriminal group mainly develops phishing kits and Android SMS-stealer malware and offers a subscription model for accessing them. Its current targets are mostly Spanish banks; however, phishing kits for a wide variety of companies (tax and governmental services, e-commerce, banks, and cryptocurrency exchanges) in the United States, the United Kingdom, Slovakia, and Brazil are also available.
  • Location-based dating (LBD) apps contain sensitive data. Researchers found out that 6 out of 15 LBD apps leak the exact location of users, which enables physical threats to users’ safety.
  • LianSpy Android spyware targets users in Russia. It obtains root privileges and presents novel features compared to financially motivated spyware, which probably indicates a mercenary background. It exfiltrates sensitive data from the victim’s device, personal files, and instant messaging apps.
  • Life360 international family location safety app’s user data, including phone numbers, was leaked, possibly due to a flaw in the login API endpoint. 442,519 users were affected.
  • Mandrake Android spyware has remained undetected in the Google Play Store since 2022 and has been downloaded 32,000+ times in total. Most downloads were from Canada, Germany, Italy, Mexico, Spain, Peru, and the UK. This latest version of Mandrake is equipped with improved defense evasion and anti-analysis techniques. Its main objectives are stealing the user credentials and installing the next-stage malicious apps.
  • Mobile Guardian, a device management app suite widely used in schools in Singapore, had a security breach. The cybercriminals withdrew iOS devices from the platform and remotely wiped pupils’ learning devices. It is about 13,000 devices in Singapore.
  • Ratel Android spyware masquerading as Hamster Combat clicker game targets Android users in Russia. The spyware is distributed via Telegram. It steals notifications from over 200 apps and subscribes to premium services using the victim’s funds. It can also check the victim’s bank balance in a well-known bank.
  • Smishing Triad, a Chinese-speaking threat actor specializing in smishing, impersonates India Post in their latest campaign to steal debit/credit card information from iPhone users in India. They send victims an iMessage with a URL to the phishing website, which collects a redelivery fee.
  • SMS-stealer malware campaigns are on the rise. Threat actors abuse top banking brands in India to lure mobile banking users into installing Android malware.
  • SMS-stealer malware campaign, spreading across many countries, is found to be the backbone of a virtual phone number service. Such services are commonly used for SMS verification by cybercriminals to register fake accounts on legitimate websites and apps.

Vulnerabilities & patches

  • Apple patched a Siri vulnerability (CVE-2024-40818) in the iOS 17.6 release. It enables an attacker with physical access to access sensitive user data on a locked device.
  • CISA adds CVE-2024-36971, a use-after-free vulnerability in the Linux kernel, to its Known Exploited Vulnerabilities Catalog. It could lead to a remote code execution. It is fixed in the Android security patch level 2024-08-05.

Intelligence reports