Trojan downloader found on Google Play by @Maler360

-once launched, hides itself icon
-downloads additional app over HTTP
-makes user install it
-second app can then download additional apps & make user install them as "Update Alert" + display ads
-100,000+ installs
-reported

Video demo: https://twitter.com/LukasStefanko/status/1138764352411131905

iOS Kernel Fuzzing - Finding Bugs/Vulnerabilities in iOS via IOKit Fuzzing https://youtu.be/Psm_mCJXH-8

Yaazhini - Free Android APK & API Vulnerability Scanner https://www.vegabird.com/yaazhini/

Android app - La Liga - spied on football fans

According to reports, audio recorded through the Android smartphone’s microphone was combined with GPS location data in an attempt to determine if bars and restaurants were airing live matches without a license.
https://hotforsecurity.bitdefender.com/blog/la-liga-fined-e250000-after-android-app-spied-on-football-fans-21332.html

Four more apps with 220,000+ installs were lately available on Google Play with the functionality to download and make victim install additional apps + display unwanted ads.

This one is still there, found by @m0br3v

6 MUST HAVE TOOLS FOR YOUR IOS PENTESTING TOOLKIT
https://payatu.com/6-must-tools-ios-pentesting-toolkit/

Methodology for penetration testing and security assessment.
https://github.com/aungthurhahein/Red-Team-Curation-List/blob/master/README.md

Operation Android : Android Pentesting is out.
https://www.peerlyst.com/posts/operation-android-android-pentesting-is-out-benedict-charles

Apps on Google Play pushed fraudulent notifications through browser
https://news.drweb.com/show/?i=13313&lng=en

Solution to Access iOS and High-End Android Devices

Bypass or determine locks and perform a full file system extraction on any iOS device and on many high-end Android devices.
https://www.cellebrite.com/en/ufed-premium/

Mobile Stalkware industry research - a predator in your pocket
https://citizenlab.ca/docs/stalkerware-holistic.pdf

New technique to bypass SMS permission restriction on Google Play to obtain 2FA & OTP codes.
It intercepts SMS notifications.
Discovered fake cryptocurrency exchanges with such functionality on Play Store.
https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/

Samsung advice their users to scan their TVs for malware.
https://twitter.com/SamsungSupport/status/1140409768743452672

Running iOS in QEMU to an interactive bash shell (1): tutorial
https://alephsecurity.com/2019/06/17/xnu-qemu-arm64-1/

Apparently it's still working
http://imgur.com/a/tKarLNp

Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East

Over 660 Android victims infected via malicious webs promoted on social media. Main goal was espionage.
https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/

QR code app on Google Play with over 1,000,000 installs requests $100 trial payment
https://www.androidpolice.com/2019/06/18/qr-code-app-on-play-store-ripping-people-off-for-100-through-shady-trial-scheme/

Malicious photo editor app found on Google Play with 10K+ installs

Malware signed users for unwanted subnoscription and intercepted SMS verification codes by having access to notifications.
https://www.kaspersky.com/blog/malicious-camera-app/27391/

Mobile cryptojacking and related abuse
https://t.co/I40ye67huy (pdf)

Vulnerabilities and threats in mobile applications, 2019

https://www.ptsecurity.com/ww-en/analytics/mobile-application-security-threats-and-vulnerabilities-2019/

Microsoft Outlook for Android Open to XSS Attacks

The attacker who successfully exploited this vulnerability could then perform cross-site noscripting attacks on the affected systems and run noscripts in the security context of the current user.
https://threatpost.com/microsoft-outlook-android-xss/145924/