HiddenAd Trojan found on Google Play
Info: https://twitter.com/Maler360/status/1153260314902708225?s=19

Analyzing iOS Stalkerware Applications
https://ivrodriguez.com/analyzing-ios-stalkerware-apps/amp/?__twitter_impression=true

Looks like someone successfully created PoC for Android CVE-2019-2107 RCE

PoC: You can own the mobile by viewing a video with payload. Should works on Android 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9.
https://github.com/marcinguy/CVE-2019-2107

Story wrap-up about PoC CVE-2019-2107 with the comments from PoC author and Google.

▪️ Google - vulnerability wasn't exploited in the wild yet
▪️ PoC author - exploit wouldn't work if the video will be shared on Facebook, YouTube, Instagram...because of encoding
https://thenextweb.com/security/2019/07/24/google-android-vulnerability-malicious-video/

Monokle

The Mobile Surveillance Tooling of the Special Technology Center
https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf

Monokle - Mobile Surveillance Tool

Highlights
▪️ on rooted devices can install own certificate to MitM TLS traffic
▪️ steals user defined words used for predictive text input
▪️ records the user unlocking device to get PIN
▪️ spread as Trojanized: Signal, ES explorer, Porn Hub...
▪️ via Xposed module can create hooks and hide presence in process list
▪️ via accessibility services can capture data from: Microsoft Word, Google Docs, Facebook messenger, Whatsapp, imo, Viber, Skype, WeChat, VK, Line, and Snapchat.
▪️ developed by Special Technology Center (STC) - a Russian defense contractor
▪️ there is also iOS version
▪️ can execute 33 commands on infected devices

jnitrace

A Frida module to trace usage of the JNI API in Android apps.
https://github.com/chame1eon/jnitrace

Mobile banking malware: With over 50% increase in attacks when compared to 2018 - via Check Point
https://www.checkpoint.com/press/2019/check-point-research-from-supply-chain-to-email-mobile-and-the-cloud-no-environment-is-immune-to-cyber-attacks/

Android Pentesting/Bug Hunting 101

-set-up Burp
-bruteforce OTP
-ADB leaks
-IDOR vulnerability
-list of static & dynamic vulnerabilities you should always check
https://link.medium.com/Ohrs3M1eFY

Scareware Youtube ads "Your Phone has Virus ⚠️" techniques are misused to promote lousy Android antivirus app.

BTW, this app has 100K+ installs and has been available on Google Play only since Jul 5, 2019 without any reference or web site.
https://t.co/efC3Rh30NX

SQL Injection found in NextCloud Android App Content Provider
https://hackerone.com/reports/291764

Bypassing lock protection in Nextcloud Android app
https://hackerone.com/reports/490946

Android Icon-hiding Adware found on Google Play

Seven apps with altogether over 700,000 installs.
https://twitter.com/s_metanka/status/1155824374177587201

New Android Crypto Ransomware spreads via SMS to your contacts

-ransomware was distributed via XDA Developers forum and Reddit
-uses 42 predefined SMS texts to spread for particular languages
-encrypts files and adds .seven extension
-requests BTC
https://www.welivesecurity.com/2019/07/29/android-ransomware-back

iMessage: memory corruption when decoding NSKnownKeysDictionary1
https://bugs.chromium.org/p/project-zero/issues/detail?id=1884

If Bluetooth is ON on your Apple device everyone nearby can sniff your mobile phone number. [Video demo included]
https://hexway.io/blog/apple-bleee/
PoCs: https://github.com/hexway/apple_bleee

Five bugs in iMessages

1) CVE-2019-8647 is a remote, interactionless use-after-free - https://bugs.chromium.org/p/project-zero/issues/detail?id=1873

2) CVE-2019-8662 - https://bugs.chromium.org/p/project-zero/issues/detail?id=1917

3) CVE-2019-8660 is remote, interactionless memory corruption - https://bugs.chromium.org/p/project-zero/issues/detail?id=1884

4) CVE-2019-8646 allows an attacker to read files off a remote device with no user interaction, as user mobile with no sandbox - https://bugs.chromium.org/p/project-zero/issues/detail?id=1858

5) Out-of-bounds read in DigitalTouch tap message processing - https://bugs.chromium.org/p/project-zero/issues/detail?id=1828

Such vulnerabilities, when sold on the black market, can bring a bug hunter well over $1 million, according to a price chart published by Zerodium.
https://www.zdnet.com/article/google-researchers-disclose-exploits-for-interactionless-ios-attacks/

Mobile Threat Landscape Report 2019

A comprehensive review of mobile malware trend

Update your Truecaller app

The bug led the Truecaller app to quietly send a text message to a bank to verify their account — which is part of the procedure to sign up to the payments service.
https://techcrunch.com/2019/07/30/truecaller-upi-payments-bug/

Mobile Security Review 2019

Google Play Protect had the worst malware scan results.

"Android includes built-in security features for malware detection, device loss or theft, and safe browsing for free. However, Play Protect does not yet provide effective protection." @AV_Comparatives
https://www.av-comparatives.org/tests/mobile-security-review-2019/