Android Security Monthly Recap #4
-Xiaomi vulnerabilities
-insecure financial apps
-stalkware
-spyware
-leaked source code
-Clickers, Adware, Banking Trojans, Ransomware and Phishing apps on Google Play
-hidden feature of your Samsung Calc
+3 bonuses
https://lukasstefanko.com/2019/05/android-security-monthly-recap-april-2019.html
-Xiaomi vulnerabilities
-insecure financial apps
-stalkware
-spyware
-leaked source code
-Clickers, Adware, Banking Trojans, Ransomware and Phishing apps on Google Play
-hidden feature of your Samsung Calc
+3 bonuses
https://lukasstefanko.com/2019/05/android-security-monthly-recap-april-2019.html
How Anubis uses Telegram (and Chinese characters) to phone home https://news.sophos.com/en-us/2019/05/01/how-anubis-uses-telegram-and-chinese-characters-to-phone-home/
Sophos News
How Anubis uses Telegram (and Chinese characters) to phone home
The ubiquitous Android bank credential thief tries new methods to conceal where it gets its instructions from
Chinese authorities are using a mobile app to carry out illegal mass surveillance and arbitrary detention of Muslims https://www.hrw.org/video-photos/interactive/2019/05/02/china-how-mass-surveillance-works-xinjiang
Human Rights Watch
How Mass Surveillance Works in Xinjiang, China
‘Reverse Engineering’ Police App Reveals Profiling and Monitoring Strategies
👎1
This blog post is about examining an Android security patch and understanding how it mitigates the vulnerability https://blog.quarkslab.com/android-application-diffing-cve-2019-10875-inspection.html
Quarkslab's blog
Android Application Diffing: CVE-2019-10875 Inspection
This blog post is about examining an Android security patch and understanding how it mitigates the vulnerability.
Chrome on Android: Phishing attackers can now trick you with fake address bar https://jameshfisher.com/2019/04/27/the-inception-bar-a-new-phishing-method/
jameshfisher.com
The inception bar: a new phishing method
A new phishing technique that displays a fake URL bar in Chrome for mobile. A key innovation is the "scroll jail" that traps the user in a fake browser.
Bug Bounty Hunting Tips #2 —Target their mobile apps (Android Edition) https://link.medium.com/zgBpttKSmW
Medium
Bug Bounty Hunting Tips #2 —Target their mobile apps (Android Edition)
If you read through the disclosed bug bounty reports on platforms such as hackerone.com it is clear that most bug bounty hunters are…
Android App Reverse Engineering 101 https://maddiestone.github.io/AndroidAppRE/
From third-party Android store to SMS Trojan
https://www.zscaler.com/blogs/research/third-party-android-store-sms-trojan
https://www.zscaler.com/blogs/research/third-party-android-store-sms-trojan
Zscaler
Third-party Android App Store to SMS Trojan | Security Blog
Third-party Android app store "Smart Content Store" leads to the download of an SMS Trojan. Zscaler advises Android users to download apps only from official app stores. Using third-party stores may lead to the installation of apps that have hidden, malicious…
There are currently 14 distinct categories of Potentially Harmful Applications (PHAs) designed by Google https://developers.google.com/android/play-protect/phacategories
Google for Developers
Malware | Play Protect | Google for Developers
AndroidProjectCreator converts the APK to an Android Studio project. https://maxkersten.nl/projects/androidprojectcreator/
3 things you should be doing when you pentest an Android application https://link.medium.com/4vYR1UbsoW
Two vulnerabilities in Android-based smart-TVs from Sony, including the flagship Bravia line, could allow attackers to access WiFi passwords and images stored on the devices. https://threatpost.com/android-sony-smart-tvs/144133/
Threat Post
Android-Based Sony Smart-TVs Open to Image Pilfering
A pair of bugs would allow attackers to compromise the WiFi password of a TV and the multimedia stored inside it.
Twitter lite(Android): Vulnerable to local file steal, Javanoscript injection, Open redirect. https://hackerone.com/reports/499348
HackerOne
X / xAI disclosed on HackerOne: Twitter lite(Android): Vulnerable...
**Summary:** com.twitter.android.lite.TwitterLiteActivity is set to exported and doesn't validate data pass to intent due to which this activity vulnerable to steal users local files, javanoscript...
Security Steps You Should Take After Buying a Second-Hand Phone https://www.android.gs/possible-security-threats-you-might-face-when-using-a-second-hand-smartphone
Dynamic binary instrumentation tool designed for Android application and powered by Frida. It desassemble DEX, analyze, can generate hook, stored intercepted data automatically and do new things from it... https://github.com/FrenchYeti/dexcalibur
GitHub
GitHub - FrenchYeti/dexcalibur: [Official] Android reverse engineering tool focused on dynamic instrumentation automation leveraging…
[Official] Android reverse engineering tool focused on dynamic instrumentation automation leveraging Frida. It disassembles dex, analyzes it statically, generates hooks, discovers reflected methods...