Old vulnerabilities are still present in Android apps such as Yahoo Browser, Facebook, Instagram and WeChat
https://research.checkpoint.com/2019/long-known-vulnerabilities-in-high-profile-android-applications/
https://research.checkpoint.com/2019/long-known-vulnerabilities-in-high-profile-android-applications/
Check Point Research
Long-known Vulnerabilities in High-Profile Android Applications - Check Point Research
Research by: Slava Makkaveev Introduction Most mobile users understandably worry about known vulnerabilities in the core operating system of their devices, which can give an attacker complete control over their mobile phones, and about zero-day vulnerabilities…
Smartphone maker OnePlus discloses data breach
> says hackers accessed some OnePlus customer data through a vulnerability in its website
> hack happened last week
> OnePlus says it's opening a bug bounty program next month
Via @campuscodi
https://www.zdnet.com/google-amp/article/smartphone-maker-oneplus-discloses-data-breach/
> says hackers accessed some OnePlus customer data through a vulnerability in its website
> hack happened last week
> OnePlus says it's opening a bug bounty program next month
Via @campuscodi
https://www.zdnet.com/google-amp/article/smartphone-maker-oneplus-discloses-data-breach/
ZDNet
Smartphone maker OnePlus discloses data breach
Hackers accessed some OnePlus customer data through a vulnerability in the vendor's website.
The Analyst’s Guide to MiTM Issues in Mobile Apps
1 in 5 Android apps use HTTP
1 in 7 iOS apps use HTTP
https://www.nowsecure.com/blog/2019/11/20/the-analysts-guide-to-mitm-issues-in-mobile-apps/
1 in 5 Android apps use HTTP
1 in 7 iOS apps use HTTP
https://www.nowsecure.com/blog/2019/11/20/the-analysts-guide-to-mitm-issues-in-mobile-apps/
Nowsecure
The Analyst’s Guide to MiTM Issues in Mobile Apps - NowSecure
Everything you need to know about mobile man-in-the-middle (MiTM) attacks including the development and security issues, tips for testing, and layers of network defense.
Analysis of Tushu SDK present in some HiddenAds Trojans
https://www.whiteops.com/blog/twoshu-electric-boogaloo
https://www.whiteops.com/blog/twoshu-electric-boogaloo
HUMAN
Twoshu, Electric Boogaloo
White Ops' Threat Intelligence team discovered that fraudsters we've caught before are at it again.
👍1
XSS spoofing vulnerability found in Microsoft's Outlook for Android | CVE-2019-1460
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1460
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1460
HackerOne is looking for Mobile Security Engineer
//I would never thought I would post job offere in here, but this might help someone to move further in Mobile infosec field
https://jobs.lever.co/hackerone/316d0fbd-cf24-41be-a3e2-5180f62f3658
//I would never thought I would post job offere in here, but this might help someone to move further in Mobile infosec field
https://jobs.lever.co/hackerone/316d0fbd-cf24-41be-a3e2-5180f62f3658
Frida/QBDI Android API Fuzzer
Experimetal fuzzer is meant to be used for API in-memory fuzzing on Android.
https://github.com/andreafioraldi/frida-qbdi-fuzzer
Experimetal fuzzer is meant to be used for API in-memory fuzzing on Android.
https://github.com/andreafioraldi/frida-qbdi-fuzzer
GitHub
GitHub - andreafioraldi/frida-fuzzer: This experimetal fuzzer is meant to be used for API in-memory fuzzing.
This experimetal fuzzer is meant to be used for API in-memory fuzzing. - andreafioraldi/frida-fuzzer
Patched GIF Processing Vulnerability CVE-2019-11932 Still Afflicts Multiple Mobile Apps
https://blog.trendmicro.com/trendlabs-security-intelligence/patched-gif-processing-vulnerability-cve-2019-11932-still-afflicts-multiple-mobile-apps/
https://blog.trendmicro.com/trendlabs-security-intelligence/patched-gif-processing-vulnerability-cve-2019-11932-still-afflicts-multiple-mobile-apps/
Trend Micro
Patched GIF Processing Vuln Still Affects Mobile Apps
CVE-2019-11932 - a vulnerability in WhatsApp for Android - allows remote code execution via specially crafted GIF files. Patches were released, but the problem in the android-gif-drawable package is continuously used by apps in older versions.
Compromise of Xiaomi Mi6 over WiFi to achieve RCE
Bug chaining:
MITM -> JavaScript Bridge (downloadAndInstallApk()) -> Contact Provider vulnerability (auto-start APK) -> RCE
https://labs.f-secure.com/advisories/xiaomi-wifi/
Bug chaining:
MITM -> JavaScript Bridge (downloadAndInstallApk()) -> Contact Provider vulnerability (auto-start APK) -> RCE
https://labs.f-secure.com/advisories/xiaomi-wifi/
Malicious Android SDKs - oneAudience and MobiBurn - accessed personal data, such as email addresses and user names.
These SDKs were embedded in Twitter and Facebook Android apps
https://help.twitter.com/en/sdk-issue
These SDKs were embedded in Twitter and Facebook Android apps
https://help.twitter.com/en/sdk-issue
X
Keeping your account safe from malicious activity
Analysis of Tencent Legu: a packer for Android applications
https://blog.quarkslab.com/a-glimpse-into-tencents-legu-packer.html
unpacking noscripts: https://github.com/quarkslab/legu_unpacker_2019
https://blog.quarkslab.com/a-glimpse-into-tencents-legu-packer.html
unpacking noscripts: https://github.com/quarkslab/legu_unpacker_2019
Quarkslab
A Glimpse Into Tencent's Legu Packer - Quarkslab's blog
Analysis of Tencent Legu: a packer for Android applications.
CVE-2019-11932 (double free in libpl_droidsonroids_gif) many apps vulnerable
https://seclists.org/fulldisclosure/2019/Nov/27
https://seclists.org/fulldisclosure/2019/Nov/27
seclists.org
Full Disclosure: CVE-2019-11932 (double free in libpl_droidsonroids_gif) many
apps vulnerable
apps vulnerable
NetHunter Kex – Full Kali Desktop on Android phones
NetHunter Kex allows you to attach your Android device to an HDMI output along with Bluetooth keyboard and mouse and get a full, no compromise, Kali desktop from your phone.
https://www.kali.org/news/kali-linux-2019-4-release/
NetHunter Kex allows you to attach your Android device to an HDMI output along with Bluetooth keyboard and mouse and get a full, no compromise, Kali desktop from your phone.
https://www.kali.org/news/kali-linux-2019-4-release/
Kali Linux
Kali Linux 2019.4 Release (Xfce, Gnome, GTK3, Kali-Undercover, Kali-Docs, KeX, PowerShell & Public Packaging) | Kali Linux Blog
Time to grab yourself a drink, this will take a while!
We are incredibly excited to announce our fourth and final release of 2019, Kali Linux 2019.4, which is available immediately for download.
2019.4 includes some exciting new updates:…
We are incredibly excited to announce our fourth and final release of 2019, Kali Linux 2019.4, which is available immediately for download.
2019.4 includes some exciting new updates:…
Building & Hacking modern iOS apps
https://www.slideshare.net/mobile/wojdwo/buildinghacking-modern-ios-apps
https://www.slideshare.net/mobile/wojdwo/buildinghacking-modern-ios-apps
www.slideshare.net
Building&Hacking modern iOS apps
After my successful presentation "Testing iOS Apps without Jailbreak in 2018" it's time to change the side. This talk will cover the most important milestones …
Mobile threat statistics in Q3 2019 by Kaspersky
▪️870,617 detected all malicious installs
▪️Hiddenapp is one of the most prevalent Android malware family
▪️13,129 detected mobile banking Trojans
▪️13,179 detected mobile ransomware
https://securelist.com/it-threat-evolution-q3-2019-statistics/95269/
▪️870,617 detected all malicious installs
▪️Hiddenapp is one of the most prevalent Android malware family
▪️13,129 detected mobile banking Trojans
▪️13,179 detected mobile ransomware
https://securelist.com/it-threat-evolution-q3-2019-statistics/95269/
Securelist
IT threat evolution Q3 2019. Statistics
Kaspersky solutions blocked 989,432,403 attacks launched from online resources in 203 countries across the globe.
Checkm8, Checkra1n and the new "golden age" for iOS Forensics
http://blog.digital-forensics.it/2019/11/checkm8-checkra1n-and-new-golden-age.html
http://blog.digital-forensics.it/2019/11/checkm8-checkra1n-and-new-golden-age.html
blog.digital-forensics.it
Checkm8, Checkra1n and the new "golden age" for iOS Forensics
DFIR research
Database with millions of SMS text messages has been found online
The database was left unprotected on the internet without a password, none of the data was encrypted and anyone could look inside. #TrueDialog
https://www.vpnmentor.com/blog/report-truedialog-leak/
The database was left unprotected on the internet without a password, none of the data was encrypted and anyone could look inside. #TrueDialog
https://www.vpnmentor.com/blog/report-truedialog-leak/
vpnMentor
Report: Millions of Americans at Risk After Huge Data and SMS Leak
Introduction
Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a breached database belonging to the American communications company, TrueDialog.
TrueDialog
Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a breached database belonging to the American communications company, TrueDialog.
TrueDialog
Session Expiration Bypass in Facebook Creator App
https://link.medium.com/bzpIZQ2z41
https://link.medium.com/bzpIZQ2z41
Medium
Session Expiration Bypass in Facebook Creator App
Hello everybody,
Mobile Cyberespionage Campaign Distributed Through #CallerSpy as a Targeted Attack
https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-distributed-through-callerspy-mounts-initial-phase-of-a-targeted-attack/
https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-distributed-through-callerspy-mounts-initial-phase-of-a-targeted-attack/
Trend Micro
Mobile Campaign Start Targeted Attacks Using CallerSpy
We found a new spyware family hosted on a phishing website, and may initially be used for a targeted attack campaign. We first came across the threat in May via http://gooogle.press/ advertising a chat app called “Chatrious.”