With a special focus on mobile apps and connected, unmanaged devices, this Cybersecurity Threat Roundup is compiled by Verimatrix Cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.
Threat info
- A cumulative total of 451 million spyware infected app downloads indicates a large-scale and sophisticated supply chain attack campaign in the Android ecosystem. Initially 101 apps were reported to be infected with so-called SpinOk spyware, but the list of infected apps was expanded further with a discovery of additional 193 infected apps later.
- AhRat, a variant of open-source AhMyth Android RAT, was discovered in a trojanized iRecorder – Screen Recorder app. It is likely that the trojanized app was used for espionage.
- Bogus QR codes pasted in small businesses in Singapore are used by cybercriminals to deliver malicious Android apps containing a banking trojan. After the initial access, malware easily drained the victims’ bank accounts. There have been at least 113 victims in Singapore who lost $445,000 in phishing scams since March.
- Bouldspy is an Android spyware developed and used actively by the Iranian law-enforcement agencies. In addition to the common spyware features, it can also record voice calls over 16 different VoIP apps.
- BrutePrint attack successfully cracks the fingerprint authentication of Android devices with $15 worth equipment. Researchers showcased the attack on eight different Android phone models, and it took between 45 minutes to 14 hours. The attack requires physical access to the phone and then enables an attacker to unlock the screen, make payments on apps, etc.
- DogeRAT Android malware targets people in India via counterfeit versions of popular entertainment, social media and messaging apps.
- Fleckpe is a new Android trojan family which stealthily subscribes victims to paid services owned by the attackers. Researchers found eleven infected apps on Google Play, which have been installed on more than 620,000 devices.
- Fluhorse is a recently discovered Android malware, which includes malicious functionality that was developed solely with the open-source Flutter framework. The framework not only makes analysis and detection of the malware difficult, but also enables attackers to develop cross-platform malware from a single codebase. It can be built for iOS, Android or other targets. Malicious functionality is designed for stealing sensitive data (credentials and/or credit card information) and two-factor authentication (2FA) codes sent via SMS.
- Lemon Group’s criminal enterprise pre-infected almost 9 million mobile devices with a tampered Android system library in a supply chain attack. Threat actors monetized the infected devices in the business of SMS Phone Verified Accounts (PVA) services, proxy services, marketing services, advertisement fraud, and app installation services.
- OilAlpha, a threat group targeting entities across the Arabian Peninsula since May 2022, uses SpyNote and SpyMax Android remote access trojans (RATs) in its espionage operations.
- Predator, a powerful commercial Android spyware available for both iOS and Android, offers a wide range of information stealing, surveillance, and remote-access capabilities. Notably, its loader, Alien, can stop selected applications running in the background upon device reboot – a common technique observed in mobile malware to impair defenses.
- Stolen mobile phones pose a threat to mobile banking apps. £73,000 was stolen from a victim in the UK.
Vulnerabilities & patches
- A use-after-free zero-day vulnerability (CVE-2023-0266) in the Linux kernel sound subsystem, exploited to deliver spyware on Samsung Android phones, addressed in the Android 2023-05-05 security patch level.
- Kids Place is a parental control app for Android phones with more than 5 million downloads. Researchers identified multiple vulnerabilities (CVE-2023-29079, CVE-2023-29078 and CVE-2023-28153) in the app. All the issues were patched in version 3.8.50.
- CISA adds CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, three zero-day vulnerabilities which were exploited to deploy spyware, to its known exploited vulnerabilities catalog. All three issues were addressed in iOS 16.5 version.
- Samsung patched actively exploited CVE-2023-21492 zero-day vulnerability in the May 2023 Security Maintenance Release (SMR). CISA added this writing sensitive information into logs flaw to its known exploited vulnerabilities catalog.
- Expo framework enables application developers to create native iOS, Android, and web applications from a single codebase. A critical security flaw (CVE-2023-28131) in the Open Authorization (OAuth) implementation of the framework was mitigated by a hotfix.
Intelligence reports
- Meta reported the actions taken against a Pakistan-based, state-sponsored advanced persistent threat (APT), the Bahamut APT and the Patchwork APT groups in the Quarterly Adversarial Threat Report Q1 2023. These groups use Facebook and Instagram for social engineering their targets to deliver malicious Android apps.
- Apple announced that the App Store prevented more than $2 billion worth of fraudulent transactions and rejected nearly 1.7 million app submissions due to the violation of privacy, security, or content requirements in 2022. 428,000 developer accounts and 282 million customer accounts were also terminated for fraud and abuse last year.
- According to the LexisNexis Risk Solutions Cybercrime Report 2022, mobile apps have become the preferred channel for digital transactions (63% of 79.8 billion transactions in 2022). Mobile apps also exhibited the highest year-over-year (YOY) growth in attack rate with a 58% increase.
- AhMyth, Anubis and Hiddad were the top three mobile malwares in April 2023 according to the Check Point’s Most Wanted Malware Report.
Salt Typhoon Exposes Critical Gaps in Mobile Security: CISA Reacts