U.S. immigration cops just spent $1 Million on iPhone hacking equipment.

GrayKey, previously described as the world’s best iPhone hacking tech for police and intelligence agents, allowing them to break passcodes and retrieve information from inside Apple devices.
https://www.forbes.com/sites/thomasbrewster/2019/05/08/immigration-just-spent-a-record-1-million-on-the-worlds-most-advanced-iphone-hacking-tech/

The simple reality is there are so many 0-day exploits for iOS and the only reason why just a few attacks have been caught in the wild is that iOS phones by design hinder defenders to inspect the phones.

So, if someone says there is no malware on iOS - it's not true - because there is no simple way to prove there was malware.
https://www.vice.com/en_us/article/pajkkz/its-almost-impossible-to-tell-if-iphone-has-been-hacked

Google Play already scans apps for security issues!

In App Security Improvement program since 2015.
The program has helped more than 300,000 developers to fix more than 1,000,000 apps on Google Play. In 2018 alone, the program helped over 30,000 developers fix over 75,000 apps.
https://developer.android.com/google/play/asi

Under the order that will take effect in the coming days, Huawei will need a U.S. government license to buy American technology.
In August, Trump signed a bill that barred the U.S. government itself from using equipment from Huawei and ZTE.
https://www.reuters.com/article/us-usa-china-huaweitech/chinas-huawei-70-affiliates-placed-on-u-s-trade-blacklist-idUSKCN1SL2W4

Account takeover prevention

We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.
https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html?m=1

Analysis of UC Browser bug that could run unverified code.

Vulnerability in UC Browser could distribute and launch malicious libraries. These libraries will work in the context of the browser, resulting in full system privileges that the browser has.
https://m.habr.com/en/company/drweb/blog/452076/

Google has stopped providing Huawei with hardware and software products.
In other words, while Huawei can still use Android itself, most proprietary services will be inaccessible — including the Google Play Store, Gmail, and presumably anything else that requires the closed-source Play Services Framework.
https://www.androidpolice.com/2019/05/19/huaweis-future-phones-reportedly-wont-have-access-to-google-services-including-the-play-store/

This means that Huawei loses Android updates and all their users access to Google Play Store.

Over 19 Android vulnerability reports in one place
https://twitter.com/fs0c131y/status/1129680329994907648

Asacube source code - Android banking Botnet - is available for free with video tutorial how to use it.

Back-end can build custom malicious APKs + generate landing page without any coding skill required.

Based on tutorial, anyone can build custom Android banking Trojan within 30 minutes.

Existing Huawei users will not lose Google services such as Google Play and the security protections from Google Play Protect.

Aggressive adware with 5M+ installs. App also contains fake reviews.
Discovered by Nikolaos Chrisaidos.

VidMate - Chinese video app with 500M+ installs is charging people, draining their batteries, and exposing data without their knowledge.
https://www.buzzfeednews.com/article/craigsilverman/vidmate-app-download

Facebook Messenger Bug in Android

An attacker is able to send media messages on behalf of other users on Facebook Messenger
https://bugreader.com/kbazzoun@sending-message-on-behalf-of-other-users-72

Everyone should read this sad story.

Real victim of SIM swapping lost $100K from Coinbase within 24h.

This happened not because of malware, but as a result of sharing too much personal information on social media that end up in intelligence gathering for targeted attack.
https://t.co/Tu1ML9QGDi

SIM swapping attack scenario.
Don't use SMS 2 factor authentication but software key generator instead.

New release of Kali NetHunter 2019.2 (Kali for Android).

NetHunter now supports over 50 devices running all the latest Android versions, from KitKat through to Pie.
https://www.kali.org/news/kali-linux-2019-2-release/

Yesterday was released official version of Tor Browser for Android.

Info: https://www.zdnet.com/article/first-official-version-of-tor-browser-for-android-released-on-the-play-store/
Google Play: https://play.google.com/store/apps/details?id=org.torproject.torbrowser&rdid=org.torproject.torbrowser
For iOS Tor Project recommends: https://itunes.apple.com/us/app/onion-browser/id519296448

Objection - Runtime Mobile Exploration toolkit without need for a jailbroken or rooted mobile device.
Supports iOS & Android while powered by Frida.
https://github.com/sensepost/objection