Detect static and dynamic tampering of native code
https://darvincitech.wordpress.com/2020/03/01/yet-another-tamper-detection-in-android/
https://darvincitech.wordpress.com/2020/03/01/yet-another-tamper-detection-in-android/
Darvin's Blog
Yet Another Tamper Detection in Android
Android apps are signed by developer private key before uploading to the play store. Every private key has an associated public certificate that devices and services use to verify that the app is f…
Roaming Mantis, part V
SMiShing and enhanced anti-researcher techniques
https://securelist.com/roaming-mantis-part-v/96250/
SMiShing and enhanced anti-researcher techniques
https://securelist.com/roaming-mantis-part-v/96250/
Securelist
Roaming Mantis, part V
Kaspersky has continued to track the Roaming Mantis campaign. The group’s attack methods have improved and new targets continuously added in order to steal more funds.
Bug in Walgreens mobile app (pharmacy app) leaked users' personal data
The app has over 10M installs on Google Play
https://www.zdnet.com/article/walgreens-says-mobile-app-leaked-users-personal-data/
The app has over 10M installs on Google Play
https://www.zdnet.com/article/walgreens-says-mobile-app-leaked-users-personal-data/
ZDNet
Walgreens says mobile app leaked users' personal data
US pharmacy store says mobile app exposed names, prenoscription details, and shipping addresses.
Android Malware Threats - February, 2020
http://skptr.me/malware_timeline_2020.html
samples: https://github.com/sk3ptre/AndroidMalware_2020
http://skptr.me/malware_timeline_2020.html
samples: https://github.com/sk3ptre/AndroidMalware_2020
GitHub
GitHub - sk3ptre/AndroidMalware_2020: Popular Android malware seen in 2020
Popular Android malware seen in 2020. Contribute to sk3ptre/AndroidMalware_2020 development by creating an account on GitHub.
Temp root vulnerability that affects millions of devices with chipsets from MediaTek - CVE-2020-0069
Exploit has been available on XDA-Developers forums since April 2019.
The vulnerability is actively being exploited in the wild.
https://www.xda-developers.com/mediatek-su-rootkit-exploit/
Exploit has been available on XDA-Developers forums since April 2019.
The vulnerability is actively being exploited in the wild.
https://www.xda-developers.com/mediatek-su-rootkit-exploit/
XDA Developers
Critical MediaTek rootkit affecting millions of Android devices has been out in the open for months
A critical flaw in MediaTek processors went unpatched in devices due to OEM neglect. Google hopes the March 2020 Android Security Bulletin will fix this.
Google Authenticator for Android Allows Screen Capture (FLAG_SECURE)
https://wwws.nightwatchcybersecurity.com/2020/03/03/google-authenticator-for-android-allows-screen-capture/
https://wwws.nightwatchcybersecurity.com/2020/03/03/google-authenticator-for-android-allows-screen-capture/
Nightwatch Cybersecurity
Google Authenticator for Android Allows Screen Capture
Google offers an application for Android called “Google Authenticator” which is used to setup two-factor authentication (2FA). This application is used to generate standard OTP codes us…
How to Jailbreak iPhone with rooted Android (checkra1n)
https://www.xda-developers.com/jailbreak-apple-iphone-using-checkra1n-rooted-android-phone/
https://www.xda-developers.com/jailbreak-apple-iphone-using-checkra1n-rooted-android-phone/
XDA
Your rooted Android phone can jailbreak an iPhone with checkra1n
You can now jailbreak several popular iPhones using your rooted Android smartphone, thanks to checkra1n and its recent Linux support. Check it out!
Android app - CM Browser - records all users' web browsing and send it to server
The app is removed from Google Play store now
https://www.forbes.com/sites/thomasbrewster/2020/03/03/warning-an-android-security-app-with-1-billion-downloads-is-recording-users-web-browsing/#27797cf62149
The app is removed from Google Play store now
https://www.forbes.com/sites/thomasbrewster/2020/03/03/warning-an-android-security-app-with-1-billion-downloads-is-recording-users-web-browsing/#27797cf62149
Forbes
Warning: An Android Security App With 1 Billion Downloads Is Recording Users’ Web Browsing
China’s Cheetah Mobile says it needs to monitor users of its wildly popular Android apps. Security experts disagree, and Google has stuck by its ban on Cheetah software.
👍1
Project Sandcastle: Android for the iPhone
https://projectsandcastle.org/
https://projectsandcastle.org/
Project Sandcastle
IT’S ANDROID. FOR THE IPHONE.
McAfee Mobile Threat Report - Q1 2020
https://www.mcafee.com/content/dam/consumer/en-us/docs/2020-Mobile-Threat-Report.pdf
https://www.mcafee.com/content/dam/consumer/en-us/docs/2020-Mobile-Threat-Report.pdf
Detailed analysis of Android banking trojan Geost
https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-geost-exposing-the-anatomy-of-the-android-trojan-targeting-russian-banks/
https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-geost-exposing-the-anatomy-of-the-android-trojan-targeting-russian-banks/
Trend Micro
Geost: Anatomy of the Android Trojan Targeting Russia
We dug deeper into the behavior of Geost, a trojan targetting Russian banks, by reverse engineering a sample of the malware. It has several layers of obfuscation, encryption, reflection that made it more difficult to reverse engineer.
Android malware mimics click farms - fake review bussiness
This Trojan misuses Accessibility to perform:
- Download Apps from Google Play or APK Pure
- Deactivate Google Play Protect
- Create Fake Accounts with OAuth
- Post fake reviews on Google Play
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-leifaccess-a-is-the-silent-fake-reviewer-trojan/
This Trojan misuses Accessibility to perform:
- Download Apps from Google Play or APK Pure
- Deactivate Google Play Protect
- Create Fake Accounts with OAuth
- Post fake reviews on Google Play
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-leifaccess-a-is-the-silent-fake-reviewer-trojan/
McAfee Blog
Android/LeifAccess.A is the Silent Fake Reviewer Trojan | McAfee Blog
The McAfee Mobile Research team has identified an Android malware family dubbed Android/LeifAccess.A that has been active since May 2019. This trojan was
Iran built a COVID-19 detection app that it urged citizens to install on their devices
https://www.zdnet.com/article/spying-concerns-raised-over-irans-official-covid-19-detection-app/
https://www.zdnet.com/article/spying-concerns-raised-over-irans-official-covid-19-detection-app/
ZDNET
Spying concerns raised over Iran's official COVID-19 detection app
Google removes Iran's official COVID-19 detection app from the Play Store.
Here's how well 17 Android Security Apps Provide Protection
https://www.av-test.org/en/news/here-s-how-well-17-android-security-apps-provide-protection/
https://www.av-test.org/en/news/here-s-how-well-17-android-security-apps-provide-protection/
www.av-test.org
Here's how well 17 Android Security Apps Provide Protection
Google ensures that each app in the Play Store and on smartphones is checked for Trojans and other kinds of malware. The current test shows that Android users are much safer with security apps than if they rely on Google. Here are the facts.
Analysis of Latest Android Binder vulnerability (CVE-2020-0041)
Blogpost: https://www.synacktiv.com/posts/exploit/binder-analysis-and-exploitation-of-cve-2020-0041.html
Slides: https://www.synacktiv.com/ressources/thcon2020_binder.pdf
Blogpost: https://www.synacktiv.com/posts/exploit/binder-analysis-and-exploitation-of-cve-2020-0041.html
Slides: https://www.synacktiv.com/ressources/thcon2020_binder.pdf
Play fuzzing machine – hunting iOS/macOS kernel vulnerabilities automatically and smartly
https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-play-fuzzing-machine-hunting-iosmacos-kernel-vulnerabilities-automatically-and-smartly/
https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-play-fuzzing-machine-hunting-iosmacos-kernel-vulnerabilities-automatically-and-smartly/
Virusbulletin
Virus Bulletin :: VB2019 paper: Play fuzzing machine – hunting iOS/macOS kernel vulnerabilities automatically and smartly
Since iOS 10, Apple has released the unpacked/decrypted kernel cache (*.ipsw), but the system source code, in particular the kernel and driver part, remain close-sourced. What is more, symbol info in the binary (kernel cache) has been greatly removed, which…
End of Android rooting tool - Magisk
Android SafetyNet will enforce key attestation to verify device status
Info: https://twitter.com/topjohnwu/status/1237656703929180160
Q&A: https://twitter.com/topjohnwu/status/1237830555523149824
Android SafetyNet will enforce key attestation to verify device status
Info: https://twitter.com/topjohnwu/status/1237656703929180160
Q&A: https://twitter.com/topjohnwu/status/1237830555523149824
Twitter
John Wu
So here we go, after years of fun messing around using Magisk, it seems that Google FINALLY decided to "fix" SafetyNet to something useful, and that is to use key attestation to verify device status (after 3 years since introduced to Android's platform!)
Cookiethief: a cookie-stealing Trojan for Android
https://securelist.com/cookiethief/96332/
https://securelist.com/cookiethief/96332/
Securelist
Cookiethief: a cookie-stealing Trojan for Android
Trojan-Spy.AndroidOS.Cookiethief turned out to be quite simple. Its main task was to acquire root rights on the victim device, and transfer cookies used by the browser and Facebook app to the cybercriminals’ server.
Android "coronavirus" malware tracker 📱🦠
https://lukasstefanko.com/2020/03/android-coronavirus-malware.html
https://lukasstefanko.com/2020/03/android-coronavirus-malware.html
Android MonitorMinor stalkerware
When Accessibility services become stalkerware services
https://securelist.com/monitorminor-vicious-stalkerware/95575/
When Accessibility services become stalkerware services
https://securelist.com/monitorminor-vicious-stalkerware/95575/
Securelist
MonitorMinor: vicious stalkerware?
The other day, our Android traps ensnared an interesting specimen of software that can be used for stalking. On closer inspection, we found that this app outstrips all existing software of its class in terms of functionality.
Commercial surveillance tools exploit COVID-19 to spread (MobiHok, SpyNote, SpyMax)
Source: https://blog.lookout.com/commercial-surveillanceware-operators-latest-to-take-advantage-of-covid-19
Source: https://blog.lookout.com/commercial-surveillanceware-operators-latest-to-take-advantage-of-covid-19
Lookout
Commercial Surveillanceware Operators Exploit COVID-19 | Threat Intel
Are cybercriminals and scammer's taking advantage of increased communication around COVID-19? Discovery shows new surveillanceware exploits the pandemic.