A popular GPS tracker — used as a panic alarm for elderly patients, to monitor kids, and track vehicles — contains security flaws that could leak real-time locations and can remotely activate its microphone.

▪️Device has integrated SIM card but without internet connectivity
▪️If not properly secured (not by default), it can receive SMS commands from anyone
https://techcrunch.com/2019/05/10/gps-trackers-flaw/

Quick overview of "secure messaging apps"

In Android Q beta 3 apps running in the background can no longer launch activities.
However, users can disable this feature in developer options by turning on "Allow background activity starts."
Because of that, malware could allow it via Accessibility services. https://www.androidpolice.com/2019/05/08/background-apps-can-no-longer-launch-activities-in-android-q-beta-3/

APKiD (new release) gives you information about how an APK was made.
It identifies many compilers, packers, obfuscators, and other weird stuff. It's PEiD for Android.
https://github.com/rednaga/APKiD/blob/master/README.md

Great feature on iOS 12

Local DoS on all Samsung phones with PoC https://link.medium.com/IhXHrKKCDW

Hacking Public Warning System in LTE Mobile Network
https://t.co/pv7EUmYTa0?amp=1

3 fake apps found on Google Play Store. Their goal is to steal text messages and set itself as default SMS app. If you have them installed, uninstall them!

Pentesting Android applications by reversing and finding attack surfaces
https://blog.usejournal.com/an-intro-to-pentesting-an-android-phone-464ec4860f39

Did You Know These Mobile Fraud Examples?
https://www.linkedin.com/pulse/did-you-know-mobile-fraud-examples-ad-fraud-historian

DEF CON Quals 2019 : VERYANDROIDOSO
#Android #CTF #Writeup #Frida
https://eybisi.run/DEF-CON-Quals-2019-Veryandroidoso/

Four Main Mobile Payment Models and their security
https://2muchcoffee.com/blog/paying-with-your-mobile-phone-types-and-models/

“If you used more than one account on Twitter for iOS and opted into using the precise location feature in one account, we may have accidentally collected location data when you were using any other account(s) on that same device for which you had not turned on the precise location feature,” Twitter said
https://threatpost.com/twitter-leaked-ios-users-location/144687/

Android app "Ever - Capture Your Memories" with 1M+ installs.

What began in 2013 as another cloud storage app has pivoted toward a far more lucrative business known as Ever AI — without telling the app’s millions of users.
https://www.nbcnews.com/tech/security/millions-people-uploaded-photos-ever-app-then-company-used-them-n1003371

Update WhatsApp!

WhatsApp just fixed a vulnerability that allowed malicious actors to remotely install spyware on affected phones, and an unknown number reportedly did so with a commercial-grade snooping package usually sold to nation-states.
https://techcrunch.com/2019/05/13/whatsapp-exploit-let-attackers-install-government-grade-spyware-on-phones/

A Korean-speaking hacking group in operation since at least 2016 is expanding its arsenal of hacking tools to include a Bluetooth-device harvester in a move that signals the group’s growing interest in mobile devices.
https://arstechnica.com/information-technology/2019/05/korean-speaking-hackers-add-bluetooth-harvester-to-its-tool-arsenal/

Android & iOS app "Call India - IntCall" allows anyone to register any phone number without OTP verification

This means that anyone can make calls spoofing any phone number.

This concerns only users from #India 🇮🇳
The app hasn't been updated since 2014.
https://www.news18.com/amp/news/tech/this-android-calling-app-presents-a-huge-threat-but-is-still-guarded-by-a-high-rating-2140363.html?__twitter_impression=true