Semi-universal XSS found in iOS Firefox app
https://twitter.com/konarkmodi/status/1244714141421645826?s=20
Writeup: https://0x65.dev/blog/2020-03-30/cve-2019-17004-semi-universal-xss-affecting-firefox-for-ios.html

Covid19 Tracker Apps

List of mobile apps created by government or police to track citizens
https://fs0c131y.com/covid19-tracker-apps/

Detailed analysis of how Accessibility services are misused by Android malware

+ to complete, there is missing info that such malware can also read and steal 2FA codes from e.g. Google Authenticator (via @reyammer)
https://labs.f-secure.com/blog/how-are-we-doing-with-androids-overlay-attacks-in-2020
2FA: https://reyammer.io/blog/2020/03/17/no-flag-secure-does-not-protect-you-from-a11y-malware-and-google-couldnt-have-protected-2fa-tokens-that-easily/

Patched and malicious Zoom Android apps
https://labs.bitdefender.com/2020/03/infected-zoom-apps-for-android-target-work-from-home-users/

Exploiting CVE-2020-0041 - Part 1: Escaping the Chrome Sandbox
https://labs.bluefrostsecurity.de/blog/2020/03/31/cve-2020-0041-part-1-sandbox-escape/

Protecting Android App against Reverse Engineering and Tampering
https://medium.com/avi-parshan-studios/protecting-your-android-app-against-reverse-engineering-and-tampering-a727768b2e9e

Gained unauthorized Camera access on iOS and macOS

Technical walkthrough of discovered several zero-day bugs in Safari during hunt to hack the iOS/MacOS camera
https://www.ryanpickren.com/webcam-hacking

Automatic Uncovering of Hidden Behaviors From Input Validation in Mobile Apps
https://panda.moyix.net/~moyix/papers/inputscope_oakland20.pdf

Android Webview Exploited
http://www.nuckingfoob.me/android-webview-csp-iframe-sandbox-bypass/index.html

Bypassing Xamarin Certificate Pinning on Android

https://www.gosecure.net/blog/2020/04/06/bypassing-xamarin-certificate-pinning-on-android/

Unkillable xHelper and a Trojan matryoshka
https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/

Subnoscription scam apps found on iOS App Store

These apps charge subnoscription rates around $30 per month after a 3 or 7-day trial period
https://news.sophos.com/en-us/2020/04/08/iphone-fleeceware/

Apple and Google came up with own solution to covid19 contact tracing

-without GPS
-only Bluetooth LE
-in May will release APIs
-user consent is necessity
-should be more secure than country's government own app solution
https://blog.google/inside-google/company-announcements/apple-and-google-partner-covid-19-contact-tracing-technology/

Intercept SSL traffic to perform penetration testing on Android apps using Charles Debug Proxy (Android 7-9)
https://medium.com/@Mayank.Grover/intercept-ssl-traffic-to-perform-penetration-testing-on-android-apps-using-charles-debug-proxy-59211859d22f

Vulnerability Analysis of Android SuperVPN app that allows attacker to exchange VPN gateway
https://youtu.be/ofTts7jlC2Y

OSINT Investigation: Android Cerberus Trojan and the INPS related to COVID19 campaign
https://bushidotoken.blogspot.com/2020/04/osint-investigation-cerberus-and-inps.html

Virtual machine host for iOS
It allows to run Windows, Android, and more on your iPhone and iPad 
https://getutm.app

Firefox for Android fixed 2 vulnerabilities:

-overwriting preference could lead to arbitrary code execution CVE-2020-6828
-URI spoofing CVE-2020-6827
https://www.mozilla.org/en-US/security/advisories/mfsa2020-13/

TikTok Vulnerability Enables Hackers to Show Users Fake Videos
https://www.mysk.blog/2020/04/13/tiktok-vulnerability-enables-hackers-to-show-users-fake-videos/

Nice bug chaining found in Xiaomi Mi9 to achieve RCE

Visit attacker website ->...-> download & launch APK

CVE-2020-9530: A redirect vulnerability in a privileged WebView
CVE-2020-9531: XSS in locally stored web pages loaded into a privileged WebView
https://labs.f-secure.com/advisories/xiaomi-mi9/

Project Spy - Android and iOS Spyware
https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/