Android app "Ever - Capture Your Memories" with 1M+ installs.

What began in 2013 as another cloud storage app has pivoted toward a far more lucrative business known as Ever AI — without telling the app’s millions of users.
https://www.nbcnews.com/tech/security/millions-people-uploaded-photos-ever-app-then-company-used-them-n1003371

Update WhatsApp!

WhatsApp just fixed a vulnerability that allowed malicious actors to remotely install spyware on affected phones, and an unknown number reportedly did so with a commercial-grade snooping package usually sold to nation-states.
https://techcrunch.com/2019/05/13/whatsapp-exploit-let-attackers-install-government-grade-spyware-on-phones/

A Korean-speaking hacking group in operation since at least 2016 is expanding its arsenal of hacking tools to include a Bluetooth-device harvester in a move that signals the group’s growing interest in mobile devices.
https://arstechnica.com/information-technology/2019/05/korean-speaking-hackers-add-bluetooth-harvester-to-its-tool-arsenal/

Android & iOS app "Call India - IntCall" allows anyone to register any phone number without OTP verification

This means that anyone can make calls spoofing any phone number.

This concerns only users from #India 🇮🇳
The app hasn't been updated since 2014.
https://www.news18.com/amp/news/tech/this-android-calling-app-presents-a-huge-threat-but-is-still-guarded-by-a-high-rating-2140363.html?__twitter_impression=true

[technical analysis of WhatsApp vulnerability]

Vulnerable RTCP module is called before the WhatsApp voice call is answered - 0 click RCE.
https://research.checkpoint.com/the-nso-whatsapp-vulnerability-this-is-how-it-happened/

U.S. immigration cops just spent $1 Million on iPhone hacking equipment.

GrayKey, previously described as the world’s best iPhone hacking tech for police and intelligence agents, allowing them to break passcodes and retrieve information from inside Apple devices.
https://www.forbes.com/sites/thomasbrewster/2019/05/08/immigration-just-spent-a-record-1-million-on-the-worlds-most-advanced-iphone-hacking-tech/

The simple reality is there are so many 0-day exploits for iOS and the only reason why just a few attacks have been caught in the wild is that iOS phones by design hinder defenders to inspect the phones.

So, if someone says there is no malware on iOS - it's not true - because there is no simple way to prove there was malware.
https://www.vice.com/en_us/article/pajkkz/its-almost-impossible-to-tell-if-iphone-has-been-hacked

Google Play already scans apps for security issues!

In App Security Improvement program since 2015.
The program has helped more than 300,000 developers to fix more than 1,000,000 apps on Google Play. In 2018 alone, the program helped over 30,000 developers fix over 75,000 apps.
https://developer.android.com/google/play/asi

Under the order that will take effect in the coming days, Huawei will need a U.S. government license to buy American technology.
In August, Trump signed a bill that barred the U.S. government itself from using equipment from Huawei and ZTE.
https://www.reuters.com/article/us-usa-china-huaweitech/chinas-huawei-70-affiliates-placed-on-u-s-trade-blacklist-idUSKCN1SL2W4

Account takeover prevention

We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.
https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html?m=1

Analysis of UC Browser bug that could run unverified code.

Vulnerability in UC Browser could distribute and launch malicious libraries. These libraries will work in the context of the browser, resulting in full system privileges that the browser has.
https://m.habr.com/en/company/drweb/blog/452076/

Google has stopped providing Huawei with hardware and software products.
In other words, while Huawei can still use Android itself, most proprietary services will be inaccessible — including the Google Play Store, Gmail, and presumably anything else that requires the closed-source Play Services Framework.
https://www.androidpolice.com/2019/05/19/huaweis-future-phones-reportedly-wont-have-access-to-google-services-including-the-play-store/

This means that Huawei loses Android updates and all their users access to Google Play Store.

Over 19 Android vulnerability reports in one place
https://twitter.com/fs0c131y/status/1129680329994907648

Asacube source code - Android banking Botnet - is available for free with video tutorial how to use it.

Back-end can build custom malicious APKs + generate landing page without any coding skill required.

Based on tutorial, anyone can build custom Android banking Trojan within 30 minutes.

Existing Huawei users will not lose Google services such as Google Play and the security protections from Google Play Protect.

Aggressive adware with 5M+ installs. App also contains fake reviews.
Discovered by Nikolaos Chrisaidos.

VidMate - Chinese video app with 500M+ installs is charging people, draining their batteries, and exposing data without their knowledge.
https://www.buzzfeednews.com/article/craigsilverman/vidmate-app-download

Facebook Messenger Bug in Android

An attacker is able to send media messages on behalf of other users on Facebook Messenger
https://bugreader.com/kbazzoun@sending-message-on-behalf-of-other-users-72