Under the order that will take effect in the coming days, Huawei will need a U.S. government license to buy American technology.
In August, Trump signed a bill that barred the U.S. government itself from using equipment from Huawei and ZTE.
https://www.reuters.com/article/us-usa-china-huaweitech/chinas-huawei-70-affiliates-placed-on-u-s-trade-blacklist-idUSKCN1SL2W4

Account takeover prevention

We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.
https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html?m=1

Analysis of UC Browser bug that could run unverified code.

Vulnerability in UC Browser could distribute and launch malicious libraries. These libraries will work in the context of the browser, resulting in full system privileges that the browser has.
https://m.habr.com/en/company/drweb/blog/452076/

Google has stopped providing Huawei with hardware and software products.
In other words, while Huawei can still use Android itself, most proprietary services will be inaccessible — including the Google Play Store, Gmail, and presumably anything else that requires the closed-source Play Services Framework.
https://www.androidpolice.com/2019/05/19/huaweis-future-phones-reportedly-wont-have-access-to-google-services-including-the-play-store/

This means that Huawei loses Android updates and all their users access to Google Play Store.

Over 19 Android vulnerability reports in one place
https://twitter.com/fs0c131y/status/1129680329994907648

Asacube source code - Android banking Botnet - is available for free with video tutorial how to use it.

Back-end can build custom malicious APKs + generate landing page without any coding skill required.

Based on tutorial, anyone can build custom Android banking Trojan within 30 minutes.

Existing Huawei users will not lose Google services such as Google Play and the security protections from Google Play Protect.

Aggressive adware with 5M+ installs. App also contains fake reviews.
Discovered by Nikolaos Chrisaidos.

VidMate - Chinese video app with 500M+ installs is charging people, draining their batteries, and exposing data without their knowledge.
https://www.buzzfeednews.com/article/craigsilverman/vidmate-app-download

Facebook Messenger Bug in Android

An attacker is able to send media messages on behalf of other users on Facebook Messenger
https://bugreader.com/kbazzoun@sending-message-on-behalf-of-other-users-72

Everyone should read this sad story.

Real victim of SIM swapping lost $100K from Coinbase within 24h.

This happened not because of malware, but as a result of sharing too much personal information on social media that end up in intelligence gathering for targeted attack.
https://t.co/Tu1ML9QGDi

SIM swapping attack scenario.
Don't use SMS 2 factor authentication but software key generator instead.

New release of Kali NetHunter 2019.2 (Kali for Android).

NetHunter now supports over 50 devices running all the latest Android versions, from KitKat through to Pie.
https://www.kali.org/news/kali-linux-2019-2-release/

Yesterday was released official version of Tor Browser for Android.

Info: https://www.zdnet.com/article/first-official-version-of-tor-browser-for-android-released-on-the-play-store/
Google Play: https://play.google.com/store/apps/details?id=org.torproject.torbrowser&rdid=org.torproject.torbrowser
For iOS Tor Project recommends: https://itunes.apple.com/us/app/onion-browser/id519296448

Objection - Runtime Mobile Exploration toolkit without need for a jailbroken or rooted mobile device.
Supports iOS & Android while powered by Frida.
https://github.com/sensepost/objection

Phishing "Trezor Mobile Wallet" app found on Google Play and pops as a second search result.

This fake Trezor is also connected to "Coin Wallet" service which was another cryptocurrency wallet on Google Play with over 1,000 installs using same source code and server.
https://www.welivesecurity.com/2019/05/23/fake-cryptocurrency-apps-google-play-bitcoin/

For more than a year, mobile browsers like Google Chrome, Firefox, and Safari failed to show any phishing warnings to users, according to a research paper published this week.
https://www.zdnet.com/article/mobile-chrome-safari-and-firefox-failed-to-show-phishing-warnings-for-more-than-a-year/

Rather use your charging adapter then USB charging stations.

“Let’s say I’m a bad guy. I go into an airport. I’m not going to easily take apart the charging station but it’s easy to just leave my cord behind. Now, if you see an Apple charging cord, you’re likely to grab it or just plug into it. But inside this cord is an extra chip that deploys the malware, so it charges your phone but now I own your computer.”
https://www.forbes.com/sites/suzannerowankelleher/2019/05/21/why-you-should-never-use-airport-usb-charging-stations/