Over 1,000 Android apps harvest data even after you deny permissions.

Apps used workarounds that would take personal data from sources like Wi-Fi connections and metadata stored in photos.
Fix won’t come until Android Q.
https://www.cnet.com/news/more-than-1000-android-apps-harvest-your-data-even-after-you-deny-permissions/
PDF: www.ftc.gov/system/files/documents/public_events/1415032/privacycon2019_serge_egelman.pdf

iOS 13 beta 3 available only for developers already exploited and got root shell #JailBreak
Exploit code is not released.
https://twitter.com/iBSparkes/status/1147830471440633858

Android malware hidden inside VirtualApp sandbox. #chinese
http://blog.avlsec.com/2019/07/5393/virtualapp%e6%8a%80%e6%9c%af%e5%ba%94%e7%94%a8%e5%8f%8a%e5%ae%89%e5%85%a8%e5%88%86%e6%9e%90%e6%8a%a5%e5%91%8a/

Hackers exploit 7-Eleven mobile app's poorly designed password reset function to make unwanted charges on 900 customers' accounts.
https://www.zdnet.com/article/7-eleven-japanese-customers-lose-500000-due-to-mobile-app-flaw/

Australian Federal Police admits to spying on journalists

The authorities used a 2015 amendment to espionage legislation that forces telecommunications companies to keep phone and Internet records, as well as other metadata, of users for up to two years.
https://www.theguardian.com/australia-news/2019/jun/04/federal-police-raid-home-of-news-corp-journalist-annika-smethurst

Analysis of subnoscription scam iOS apps found on App Store.

These are apps that are free to download and then ask you to subscribe right on launch. https://ivrodriguez.com/investigating-some-subnoscription-scam-ios-apps/

Four Ways The Bad Guys Attack Mobile Devices

▪️Network based attacks
▪️Device exploits
▪️Phishing attacks
▪️Malicious apps
https://blog.zimperium.com/not-fathers-endpoint-four-ways-bad-guys-attack-mobile-devices/

QCSuper: open-source tool that enables you to passively capture raw 2G/3G/4G frames by rooted Qualcomm-based Android phone or dongle
https://labs.p1sec.com/2019/07/09/presenting-qcsuper-a-tool-for-capturing-your-2g-3g-4g-air-traffic-on-qualcomm-based-phones/

iOS13 beta 2 notifies user when apps report excessive location tracking
https://www.reddit.com/r/ios/comments/cb4769/ios_13_public_beta_2_notifies_when_apps_report/

Towards Understanding Android System Vulnerabilities: Techniques and Insights
https://daoyuan14.github.io/slides/AsiaCCS19_slides_Daoyuan.pdf

New FinFisher spy infects iOS (jailbreak) and Android devices.

FinFisher has been sold to governments all over the world. For iOS it doesn't use any exploit but manual installation is required.
Targets popular messaging apps.
https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/

New Android malware replaces legitimate apps with ad-infested doppelgangers.

The vast majority of victims are located in India (15.2 million), Bangladesh (2.5 million), and Pakistan (1.7 million).
The Agent Smith malware uses the Janus technique to inject malicious code inside a legitimate app, but without affecting its MD5 file hash.
https://www.zdnet.com/article/new-android-malware-replaces-legitimate-apps-with-ad-infested-doppelgangers/

Android Debug Bridge commands 💻📲

ADB commands are executed from PC on a connected Android device

Analysis of Agent Smith: A New Species of Mobile Malware
https://research.checkpoint.com/agent-smith-a-new-species-of-mobile-malware/

How to set up quick Android malware or bug bounty analysis lab

1.0) Install Android 8.1 Oreo in Virtual Machine: https://techsviewer.com/install-android-in-virtual-machine-vmware-and-virtualbox

1.1) Android 8.1 in qemu and Burp Suite SSL interception: https://astr0baby.wordpress.com/2019/07/09/android-8-1-in-qemu-and-burp-suite-ssl-interception/

2) Set up SSL PINNING IN 10 MINUTES WITH FRIDA: https://omespino.com/tutorial-universal-android-ssl-pinning-in-10-minutes-with-frida/

3) Download apps or malware to test: https://koodous.com/apks

The first Bluetooth hair straighteners can be easily hacked #IoT

As there is no pairing or bonding established over BLE when connecting a phone, anyone in range with the app can take control of the straighteners.
https://www.pentestpartners.com/security-blog/burning-down-the-house-with-iot/

iOS URL Scheme Susceptible to Hijacking

Abuse of the URL Scheme can potentially result in the loss of privacy, bill fraud, exposure to pop-up ads, and more.
https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/

Fake DeepNude Downloads Gives You Malware Instead of Nudes

A brief search on YouTube indicates that the campaign started a week ago. The latest video linking to a file in the denoscription was uploaded on Wednesday and has almost 1,000 views; it links to an Android app.
https://www.bleepingcomputer.com/news/security/fake-deepnude-downloads-gives-you-malware-instead-of-nudes/

58 HiddenAds Trojans with over 8,200,000 installs found on Google Play
https://twitter.com/m0br3v/status/1149621258671099907?s=19

Android backdoor found on Google Play in OpenGL Plugin app
https://news.drweb.com/show/?i=13349&lng=en

How mobile black products benefit from plug-in technology - part II. #Chinese
https://blog.trustlook.com/hei-chan-li-qi-an-zhuo-duo-kai/