There are currently 14 distinct categories of Potentially Harmful Applications (PHAs) designed by Google https://developers.google.com/android/play-protect/phacategories

AndroidProjectCreator converts the APK to an Android Studio project. https://maxkersten.nl/projects/androidprojectcreator/

3 things you should be doing when you pentest an Android application https://link.medium.com/4vYR1UbsoW

Not cool. At least it explains why it needs location services.

Honda Insight in 2019 runs Android 6 from 2015

Two vulnerabilities in Android-based smart-TVs from Sony, including the flagship Bravia line, could allow attackers to access WiFi passwords and images stored on the devices. https://threatpost.com/android-sony-smart-tvs/144133/

Twitter lite(Android): Vulnerable to local file steal, Javanoscript injection, Open redirect. https://hackerone.com/reports/499348

April 2019 mobile malware review from Doctor Web

https://news.drweb.com/show/review/?lng=en&i=13278

Security Steps You Should Take After Buying a Second-Hand Phone https://www.android.gs/possible-security-threats-you-might-face-when-using-a-second-hand-smartphone

Dynamic binary instrumentation tool designed for Android application and powered by Frida. It desassemble DEX, analyze, can generate hook, stored intercepted data automatically and do new things from it... https://github.com/FrenchYeti/dexcalibur

Google announces a new way for delivering Android security updates for core OS components. https://www.zdnet.com/google-amp/article/google-io-14-android-os-modules-to-get-over-the-air-security-updates-in-real-time/

These are all the majoor security features Google added in Android over the years.

Today, at I/O, it said it added 50 new features and improvements to privacy and security settings, which it described as "the main focus of this release." via @campuscodi

How my bug bounty hunt turned into Android malware analysis https://daddycocoaman.dev/posts/bug-bounty-adventures-this-is-the-wrong-porn/

UC Browser for Android is Vulnerable to URL Spoofing Attack

▪️UC Browsers have 600M+ installs on Google Play
▪️This vulnerability can be explained by phishing attack
▪️PoC: google.com.evil.com/?q=www.paypal.com
▪️Not fixed yet
▪️Discovered by @payloadartist

Details: https://www.andmp.com/2019/05/advisory-unpatched-url-address-bar-vulnerability-in-latest-versions-of-UC-browers.html

Latest OWASP Mobile Security Testing Guide (v1.1.1) released today.
Lots of new stuff. Particularly for iOS (+30%). https://github.com/OWASP/owasp-mstg

1-click HackerOne account takeover on all Android devices - bug which allowed to dump history from all Chromium based browsers. https://hackerone.com/reports/563870

Mobile Zero-days vulnerabilities are worth more than Windows.
We walk around with perfect espionage devices in our pockets and bad actors are aware of it.

The apps bundled with many Android phones are presenting threats to security and privacy greater than most users think.
They found that everyone from the hardware builders to mobile carriers and third-party advertisers were loading products up with risky code (PDF). https://arxiv.org/pdf/1905.02713.pdf

Gartner evaluates a number of operating systems and device implementations including Android. Android 9 received strong ratings in 26 of 30 categories, including 12 of the 13 categories in the corp-managed section.
https://www.blog.google/products/android-enterprise/android-enterprise-security-assessed-gartner/

If you have app Qualcomm Telecome app that tries to send SMS remove it.

How: Go to Settings -> Apps search for Qualcomm Telecome app and check if it requests SMS permission. If so, uninstall it.
This app was found on Pixel 2XL, Pixel 3XL and OnePlus 5 once updated to Android 9.