Vulnerable Banking Application for Android
https://github.com/rewanth1997/Damn-Vulnerable-Bank

Evernote: Universal-XSS, theft of all cookies from all sites, and more
https://blog.oversecured.com/Evernote-Universal-XSS-theft-of-all-cookies-from-all-sites-and-more/

Remotely stealing cookies from Firefox for Android by visiting an exploit website (CVE-2020-15647)
PoC: https://gist.github.com/kanytu/7fe0640c87b0f3e57bda51e784a7255d
Research: https://medium.com/bugbountywriteup/firefox-and-how-a-website-could-steal-all-of-your-cookies-581fe4648e8d

Unpatched vulnerability found in GO SMS Pro app allows unauthorized users to see shared media attachments
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/go-sms-pro-vulnerable-to-media-file-theft/

Running code in the context of iOS Kernel: Part I + LPE POC on iOS 13.7
https://blog.zecops.com/vulnerabilities/running-code-in-the-context-of-ios-kernel-part-i-lpe-poc-on-ios-13-7/

Mobile threat evolution Q3 2020
https://securelist.com/it-threat-evolution-q3-2020-mobile-statistics/99461/

Vulnerability found in Facebook Messenger for Android that causes audio call to connect before callee has answered the call (bounty $60,000)
https://bugs.chromium.org/p/project-zero/issues/detail?id=2098&s=03

More than 20 fake Minecraft mods discovered on Google Play (adware)
https://www.kaspersky.com/blog/minecraft-mod-adware-google-play/37717/

Enter WAPDropper – Subscribe Users To Premium Services By Telecom Companies
https://research.checkpoint.com/2020/enter-wapdropper-subscribe-users-to-premium-services-by-telecom-companies/

Android Reverse Engineering WorkBench for VS Code
https://github.com/Surendrajat/APKLab

Noia: Simple Android and iOS (newly added feature) application sandbox file browser tool #Frida
https://github.com/0x742/noia

Run Hydra on Android to bruteforce passwords in Termux

How to crack a password of HTTP, SSH, VNC services using Hydra
Full video: https://www.instagram.com/tv/CIN7bDFghz9/

iOS 1-day hunting: uncovering and exploiting CVE-2020-27950 kernel memory leak
https://www.synacktiv.com/publications/ios-1-day-hunting-uncovering-and-exploiting-cve-2020-27950-kernel-memory-leak.html

Android AdFraud found on Google Play Store
Within the interval of several seconds it loads list of websites inside the invisible WebView
https://vms.drweb.com/virus/?i=22891890

Google discovered iOS zero-click Wi-Fi wormable exploit
Remotely triggered an unauthenticated kernel memory corruption vulnerability which causes all iOS devices in radio-proximity to reboot, with no user interaction.
Exploiting this vulnerability it is possible to run arbitrary code on any nearby iOS device and steal all the user data.
This security issue is fixed now.
https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html

Apktool v2.5.0 Released
https://connortumbleson.com/2020/12/02/apktool-v2-5-0-released/

Vulnerability in Google Play Core Library Remains Unpatched in Google Play Applications
If an attacker uses file traversal, the payload is written to the verified folder, and is automatically loaded into the vulnerable application and executed within its scope.
https://research.checkpoint.com/2020/vulnerability-in-google-play-core-library-remains-unpatched-in-google-play-applications/

The Facebook Messenger Leaking Access Token Of Million Users to third party site
https://medium.com/bugbountywriteup/how-i-found-the-facebook-messenger-leaking-access-token-of-million-users-8ee4b3f1e5e3

ASLR & the iOS Kernel — How virtual address spaces are randomised
https://bellis1000.medium.com/aslr-the-ios-kernel-how-virtual-address-spaces-are-randomised-d76d14dc7ebb

Deep Dive into an Obfuscation-as-a-Service for Android Malware
https://www.stratosphereips.org/blog/2020/12/03/deep-dive-into-an-obfuscation-as-a-service-for-android-malware

More than 20 million Gionee phones secretly implanted with Trojan Horses to make money
https://www.gizmochina.com/2020/12/05/more-than-20-million-gionee-phones-secretly-implanted-with-trojan-horses-to-make-money/