Android KicoBotnet malware
https://twitter.com/virqdroid/status/1152216041830981633

Tinder is another app to bypass the Play Store to avoid Google’s 30 percent cut

TINDER WILL NOW TAKE YOUR PAYMENT INFO DIRECTLY, INSTEAD OF LETTING GOOGLE PROCESS THE TRANSACTION
https://www.theverge.com/2019/7/19/20701256/tinder-google-play-store-android-bypass-30-percent-cut-avoid-self-install

Gaza Cybergang's attack on the Arabic via Android platform #chinese
http://blog.avlsec.com/2019/07/5455/gaza-cybergang%e5%9c%a8%e7%a7%bb%e5%8a%a8%e7%ab%af%e5%af%b9%e9%98%bf%e6%8b%89%e4%bc%af%e8%af%ad%e5%9c%b0%e5%8c%ba%e7%9a%84%e6%94%bb%e5%87%bb%e4%ba%8b%e4%bb%b6/

HiddenAd Trojan found on Google Play
Info: https://twitter.com/Maler360/status/1153260314902708225?s=19

Analyzing iOS Stalkerware Applications
https://ivrodriguez.com/analyzing-ios-stalkerware-apps/amp/?__twitter_impression=true

Looks like someone successfully created PoC for Android CVE-2019-2107 RCE

PoC: You can own the mobile by viewing a video with payload. Should works on Android 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9.
https://github.com/marcinguy/CVE-2019-2107

Story wrap-up about PoC CVE-2019-2107 with the comments from PoC author and Google.

▪️ Google - vulnerability wasn't exploited in the wild yet
▪️ PoC author - exploit wouldn't work if the video will be shared on Facebook, YouTube, Instagram...because of encoding
https://thenextweb.com/security/2019/07/24/google-android-vulnerability-malicious-video/

Monokle

The Mobile Surveillance Tooling of the Special Technology Center
https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf

Monokle - Mobile Surveillance Tool

Highlights
▪️ on rooted devices can install own certificate to MitM TLS traffic
▪️ steals user defined words used for predictive text input
▪️ records the user unlocking device to get PIN
▪️ spread as Trojanized: Signal, ES explorer, Porn Hub...
▪️ via Xposed module can create hooks and hide presence in process list
▪️ via accessibility services can capture data from: Microsoft Word, Google Docs, Facebook messenger, Whatsapp, imo, Viber, Skype, WeChat, VK, Line, and Snapchat.
▪️ developed by Special Technology Center (STC) - a Russian defense contractor
▪️ there is also iOS version
▪️ can execute 33 commands on infected devices

jnitrace

A Frida module to trace usage of the JNI API in Android apps.
https://github.com/chame1eon/jnitrace

Mobile banking malware: With over 50% increase in attacks when compared to 2018 - via Check Point
https://www.checkpoint.com/press/2019/check-point-research-from-supply-chain-to-email-mobile-and-the-cloud-no-environment-is-immune-to-cyber-attacks/

Android Pentesting/Bug Hunting 101

-set-up Burp
-bruteforce OTP
-ADB leaks
-IDOR vulnerability
-list of static & dynamic vulnerabilities you should always check
https://link.medium.com/Ohrs3M1eFY

Scareware Youtube ads "Your Phone has Virus ⚠️" techniques are misused to promote lousy Android antivirus app.

BTW, this app has 100K+ installs and has been available on Google Play only since Jul 5, 2019 without any reference or web site.
https://t.co/efC3Rh30NX

SQL Injection found in NextCloud Android App Content Provider
https://hackerone.com/reports/291764

Bypassing lock protection in Nextcloud Android app
https://hackerone.com/reports/490946

Android Icon-hiding Adware found on Google Play

Seven apps with altogether over 700,000 installs.
https://twitter.com/s_metanka/status/1155824374177587201

New Android Crypto Ransomware spreads via SMS to your contacts

-ransomware was distributed via XDA Developers forum and Reddit
-uses 42 predefined SMS texts to spread for particular languages
-encrypts files and adds .seven extension
-requests BTC
https://www.welivesecurity.com/2019/07/29/android-ransomware-back

iMessage: memory corruption when decoding NSKnownKeysDictionary1
https://bugs.chromium.org/p/project-zero/issues/detail?id=1884

If Bluetooth is ON on your Apple device everyone nearby can sniff your mobile phone number. [Video demo included]
https://hexway.io/blog/apple-bleee/
PoCs: https://github.com/hexway/apple_bleee

Five bugs in iMessages

1) CVE-2019-8647 is a remote, interactionless use-after-free - https://bugs.chromium.org/p/project-zero/issues/detail?id=1873

2) CVE-2019-8662 - https://bugs.chromium.org/p/project-zero/issues/detail?id=1917

3) CVE-2019-8660 is remote, interactionless memory corruption - https://bugs.chromium.org/p/project-zero/issues/detail?id=1884

4) CVE-2019-8646 allows an attacker to read files off a remote device with no user interaction, as user mobile with no sandbox - https://bugs.chromium.org/p/project-zero/issues/detail?id=1858

5) Out-of-bounds read in DigitalTouch tap message processing - https://bugs.chromium.org/p/project-zero/issues/detail?id=1828

Such vulnerabilities, when sold on the black market, can bring a bug hunter well over $1 million, according to a price chart published by Zerodium.
https://www.zdnet.com/article/google-researchers-disclose-exploits-for-interactionless-ios-attacks/