Monokle - Mobile Surveillance Tool

Highlights
▪️ on rooted devices can install own certificate to MitM TLS traffic
▪️ steals user defined words used for predictive text input
▪️ records the user unlocking device to get PIN
▪️ spread as Trojanized: Signal, ES explorer, Porn Hub...
▪️ via Xposed module can create hooks and hide presence in process list
▪️ via accessibility services can capture data from: Microsoft Word, Google Docs, Facebook messenger, Whatsapp, imo, Viber, Skype, WeChat, VK, Line, and Snapchat.
▪️ developed by Special Technology Center (STC) - a Russian defense contractor
▪️ there is also iOS version
▪️ can execute 33 commands on infected devices

jnitrace

A Frida module to trace usage of the JNI API in Android apps.
https://github.com/chame1eon/jnitrace

Mobile banking malware: With over 50% increase in attacks when compared to 2018 - via Check Point
https://www.checkpoint.com/press/2019/check-point-research-from-supply-chain-to-email-mobile-and-the-cloud-no-environment-is-immune-to-cyber-attacks/

Android Pentesting/Bug Hunting 101

-set-up Burp
-bruteforce OTP
-ADB leaks
-IDOR vulnerability
-list of static & dynamic vulnerabilities you should always check
https://link.medium.com/Ohrs3M1eFY

Scareware Youtube ads "Your Phone has Virus ⚠️" techniques are misused to promote lousy Android antivirus app.

BTW, this app has 100K+ installs and has been available on Google Play only since Jul 5, 2019 without any reference or web site.
https://t.co/efC3Rh30NX

SQL Injection found in NextCloud Android App Content Provider
https://hackerone.com/reports/291764

Bypassing lock protection in Nextcloud Android app
https://hackerone.com/reports/490946

Android Icon-hiding Adware found on Google Play

Seven apps with altogether over 700,000 installs.
https://twitter.com/s_metanka/status/1155824374177587201

New Android Crypto Ransomware spreads via SMS to your contacts

-ransomware was distributed via XDA Developers forum and Reddit
-uses 42 predefined SMS texts to spread for particular languages
-encrypts files and adds .seven extension
-requests BTC
https://www.welivesecurity.com/2019/07/29/android-ransomware-back

iMessage: memory corruption when decoding NSKnownKeysDictionary1
https://bugs.chromium.org/p/project-zero/issues/detail?id=1884

If Bluetooth is ON on your Apple device everyone nearby can sniff your mobile phone number. [Video demo included]
https://hexway.io/blog/apple-bleee/
PoCs: https://github.com/hexway/apple_bleee

Five bugs in iMessages

1) CVE-2019-8647 is a remote, interactionless use-after-free - https://bugs.chromium.org/p/project-zero/issues/detail?id=1873

2) CVE-2019-8662 - https://bugs.chromium.org/p/project-zero/issues/detail?id=1917

3) CVE-2019-8660 is remote, interactionless memory corruption - https://bugs.chromium.org/p/project-zero/issues/detail?id=1884

4) CVE-2019-8646 allows an attacker to read files off a remote device with no user interaction, as user mobile with no sandbox - https://bugs.chromium.org/p/project-zero/issues/detail?id=1858

5) Out-of-bounds read in DigitalTouch tap message processing - https://bugs.chromium.org/p/project-zero/issues/detail?id=1828

Such vulnerabilities, when sold on the black market, can bring a bug hunter well over $1 million, according to a price chart published by Zerodium.
https://www.zdnet.com/article/google-researchers-disclose-exploits-for-interactionless-ios-attacks/

Mobile Threat Landscape Report 2019

A comprehensive review of mobile malware trend

Update your Truecaller app

The bug led the Truecaller app to quietly send a text message to a bank to verify their account — which is part of the procedure to sign up to the payments service.
https://techcrunch.com/2019/07/30/truecaller-upi-payments-bug/

Mobile Security Review 2019

Google Play Protect had the worst malware scan results.

"Android includes built-in security features for malware detection, device loss or theft, and safe browsing for free. However, Play Protect does not yet provide effective protection." @AV_Comparatives
https://www.av-comparatives.org/tests/mobile-security-review-2019/

Facebook & WhatsApp will send to their cloud all users messages in clear text before encryption. #privacy

"If the company’s new on-device content moderation succeeds it will usher in the end of consumer end-to-end encryption and create a framework for governments to outsource their mass surveillance directly to social media companies, completely bypassing encryption."
https://www.forbes.com/sites/kalevleetaru/2019/07/26/the-encryption-debate-is-over-dead-at-the-hands-of-facebook/

Mobile forensics are analyzing the smartphone itself with possible access to cloud data. However, extending the search to the user’s desktop and laptop computers may (and possibly will) help accessing information stored both in the physical smartphone and in the cloud.
https://blog.elcomsoft.com/2019/07/extended-mobile-forensics-analyzing-desktop-computers/

HiddenAd Adware with 500,000 installs found on Google Play
https://twitter.com/ESETresearch/status/1156551255701020672?s=19

AdFraud app found on Google Play had 1,000,000+ installs
https://twitter.com/ESETresearch/status/1156587825812271106?s=19

Remotely Stole Files Through iMessage on iOS 12.3.1 (CVE-2019-8646 by natashenka)
https://youtu.be/ld2m0CPR1nM