Twitter lite(Android): Vulnerable to local file steal, Javanoscript injection, Open redirect. https://hackerone.com/reports/499348

April 2019 mobile malware review from Doctor Web

https://news.drweb.com/show/review/?lng=en&i=13278

Security Steps You Should Take After Buying a Second-Hand Phone https://www.android.gs/possible-security-threats-you-might-face-when-using-a-second-hand-smartphone

Dynamic binary instrumentation tool designed for Android application and powered by Frida. It desassemble DEX, analyze, can generate hook, stored intercepted data automatically and do new things from it... https://github.com/FrenchYeti/dexcalibur

Google announces a new way for delivering Android security updates for core OS components. https://www.zdnet.com/google-amp/article/google-io-14-android-os-modules-to-get-over-the-air-security-updates-in-real-time/

These are all the majoor security features Google added in Android over the years.

Today, at I/O, it said it added 50 new features and improvements to privacy and security settings, which it described as "the main focus of this release." via @campuscodi

How my bug bounty hunt turned into Android malware analysis https://daddycocoaman.dev/posts/bug-bounty-adventures-this-is-the-wrong-porn/

UC Browser for Android is Vulnerable to URL Spoofing Attack

▪️UC Browsers have 600M+ installs on Google Play
▪️This vulnerability can be explained by phishing attack
▪️PoC: google.com.evil.com/?q=www.paypal.com
▪️Not fixed yet
▪️Discovered by @payloadartist

Details: https://www.andmp.com/2019/05/advisory-unpatched-url-address-bar-vulnerability-in-latest-versions-of-UC-browers.html

Latest OWASP Mobile Security Testing Guide (v1.1.1) released today.
Lots of new stuff. Particularly for iOS (+30%). https://github.com/OWASP/owasp-mstg

1-click HackerOne account takeover on all Android devices - bug which allowed to dump history from all Chromium based browsers. https://hackerone.com/reports/563870

Mobile Zero-days vulnerabilities are worth more than Windows.
We walk around with perfect espionage devices in our pockets and bad actors are aware of it.

The apps bundled with many Android phones are presenting threats to security and privacy greater than most users think.
They found that everyone from the hardware builders to mobile carriers and third-party advertisers were loading products up with risky code (PDF). https://arxiv.org/pdf/1905.02713.pdf

Gartner evaluates a number of operating systems and device implementations including Android. Android 9 received strong ratings in 26 of 30 categories, including 12 of the 13 categories in the corp-managed section.
https://www.blog.google/products/android-enterprise/android-enterprise-security-assessed-gartner/

If you have app Qualcomm Telecome app that tries to send SMS remove it.

How: Go to Settings -> Apps search for Qualcomm Telecome app and check if it requests SMS permission. If so, uninstall it.
This app was found on Pixel 2XL, Pixel 3XL and OnePlus 5 once updated to Android 9.

South Africa Has Second Most Android Banking Malware Attacks As Cyber Crime Increases

▪️Android smartphones in South Africa are the second-most targeted for banking malware
▪️There are 13,842 cyber attacks per day in Africa’s most sophisticated economy
https://sabric.co.za/media-and-news/press-releases/digital-banking-crime-statistics/

A popular GPS tracker — used as a panic alarm for elderly patients, to monitor kids, and track vehicles — contains security flaws that could leak real-time locations and can remotely activate its microphone.

▪️Device has integrated SIM card but without internet connectivity
▪️If not properly secured (not by default), it can receive SMS commands from anyone
https://techcrunch.com/2019/05/10/gps-trackers-flaw/

Quick overview of "secure messaging apps"

In Android Q beta 3 apps running in the background can no longer launch activities.
However, users can disable this feature in developer options by turning on "Allow background activity starts."
Because of that, malware could allow it via Accessibility services. https://www.androidpolice.com/2019/05/08/background-apps-can-no-longer-launch-activities-in-android-q-beta-3/

APKiD (new release) gives you information about how an APK was made.
It identifies many compilers, packers, obfuscators, and other weird stuff. It's PEiD for Android.
https://github.com/rednaga/APKiD/blob/master/README.md

Great feature on iOS 12