With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.
Threat info
- Coper and Octo, the Exobot Android banking trojan descendants, are being used actively to target online banking users in Portugal, Spain, Turkey, and the United States. They implement standard attack techniques for advanced Android banking malware and abuse Android’s accessibility service. The notable techniques are overlay attacks, keylogging, screen sharing for remote access, and controlling SMS and push notifications.
- CriminalMW Android banking trojan targets 10 Brazilian banks through the PIX instant payment platform. This fast-evolving threat is the third edition of the malware family, previously GoatRAT and FantasyMW, from the same threat actor in a year. It mainly uses an Automated Transfer System (ATS) enabled by accessibility service abuse to execute a PIX transaction from the victim’s banking app. It is offered on a rental basis for $5000 per month.
- eXotic Visit espionage campaign deploys open-source XploitSPY malware to target high-risk individuals, mainly in Pakistan and India. It masquerades as a legitimate messaging app and sometimes manages to infiltrate the Google Play Store. Very low download numbers in the Play Store indicate the targeted nature of this campaign.
- Fake Leather Wallet app is found in the Apple App Store. It is a crypto drainer designed to steal the victim’s passphrase and transfer all digital assets to a cybercriminal-controlled wallet. The fake app was removed from the official store after being available for over two weeks. Crypto drainers have become very common in the last few years with the increased popularity of cryptocurrencies, and their presence in the official app stores is alarming.
- FlexStarling Android spyware is distributed by the threat actor Starry Addax to target human rights activists in North Africa.
- The Hornet dating app used to leak the location of its users within 10 meters of accuracy, even if they didn’t enable the location-sharing feature. Recent updates reduced the location accuracy to 50 meters to mitigate the risk.
- Multi-factor authentication fatigue attacks have been reported by several iPhone users recently. It turns out that a bug in the password reset feature enabled attackers to send a flood of Apple ID password reset notifications.
- Pegasus commercial spyware continues to be a primary tool to spy on high-risk iPhone users.
- PixPirate, a specialized Android banking trojan targeting the PIX instant payment platform in Brazil, carries out a new defense evasion technique to suppress its launcher icon from being displayed to the victim. Android 10 introduced countermeasures to prevent malicious applications from suppressing their launcher icon, but threat actors found a new way to circumvent these changes.
- PROXYLIB operation discovered 28 malicious VPN apps in the Google Play Store that turn users’ phones into proxy services without informing them. This is a common monetization technique for free VPN apps, and cybercriminals usually purchase these proxy services to hide their operations.
- Venmo, a popular payment app, is being misused to distribute phishing e-mails.
- Vultur, an Android banking trojan, has a new variant that offers better control of the infected device by abusing the accessibility service and improved defense evasion techniques. A significant new technique to keep it under the radar is to use the official Android Accessibility Suite’s package name for its accessibility service.
Vulnerabilities & patches
- Google patched two actively exploited zero-days (CVE-2024-29745 and CVE-2024-29748) that are used by forensic firms to unlock Pixel phones without a PIN and access personal data. The security patch level of 2024-04-05 or later addresses both.
Intelligence reports
- Verimatrix published a guide that addresses the latest OWASP Mobile Top 10 vunerabilities and how developers can secure their mobile apps from evolving threats.
- The Doctor Web’s January and February 2024 reports show a surge in Android HiddenAds adware activity, while Android banking trojan activities first increased by 17% in January and then decreased by 19% in February. The former report also discloses a few fraudulent apps in the Google Play Store.
- Malwarebytes reports that the company detected 88,500 Android banking malware infections in 2023.
- Kaspersky’s State of Stalkerware in 2023 Report shows a slight increase (6%) in stalkerware victims, with a total of 31,031 unique cases last year. They were mostly in Russia, Brazil, and India. The most popular stalkerware app was TrackView.
- Anubis, AhMyth, and Hydra were the top three mobile malwares in February 2024, according to Check Point’s Most Wanted Malware Report.
- Kaspersky published a summary of its three private intelligence reports on Android malware.
- The Recorded Future’s report indicates that there is a clear link between i-SOON, a contractor of Chinese state agencies for foreign hacking and espionage campaigns, and POISON CARP, a suspected Chinese state-sponsored threat actor that spies on the mobile devices of Tibetans.
- Google and Mandiant’s ”A review of zero-day-in-the-wild exploits in 2023” report states that 75% of the known zero-day exploits targeting Google products and Android devices in 2023 were attributed to commercial surveillance vendors.
Salt Typhoon Exposes Critical Gaps in Mobile Security: CISA Reacts