New release of Kali NetHunter 2019.2 (Kali for Android).

NetHunter now supports over 50 devices running all the latest Android versions, from KitKat through to Pie.
https://www.kali.org/news/kali-linux-2019-2-release/

Yesterday was released official version of Tor Browser for Android.

Info: https://www.zdnet.com/article/first-official-version-of-tor-browser-for-android-released-on-the-play-store/
Google Play: https://play.google.com/store/apps/details?id=org.torproject.torbrowser&rdid=org.torproject.torbrowser
For iOS Tor Project recommends: https://itunes.apple.com/us/app/onion-browser/id519296448

Objection - Runtime Mobile Exploration toolkit without need for a jailbroken or rooted mobile device.
Supports iOS & Android while powered by Frida.
https://github.com/sensepost/objection

Phishing "Trezor Mobile Wallet" app found on Google Play and pops as a second search result.

This fake Trezor is also connected to "Coin Wallet" service which was another cryptocurrency wallet on Google Play with over 1,000 installs using same source code and server.
https://www.welivesecurity.com/2019/05/23/fake-cryptocurrency-apps-google-play-bitcoin/

For more than a year, mobile browsers like Google Chrome, Firefox, and Safari failed to show any phishing warnings to users, according to a research paper published this week.
https://www.zdnet.com/article/mobile-chrome-safari-and-firefox-failed-to-show-phishing-warnings-for-more-than-a-year/

Rather use your charging adapter then USB charging stations.

“Let’s say I’m a bad guy. I go into an airport. I’m not going to easily take apart the charging station but it’s easy to just leave my cord behind. Now, if you see an Apple charging cord, you’re likely to grab it or just plug into it. But inside this cord is an extra chip that deploys the malware, so it charges your phone but now I own your computer.”
https://www.forbes.com/sites/suzannerowankelleher/2019/05/21/why-you-should-never-use-airport-usb-charging-stations/

The DuckDuckGo Privacy Browser application 5.26.0 for Android allows address bar spoofing via a setInterval call
https://www.inputzero.io/2019/05/duckduckgo-address-bar-spoofing.html

How to start with reverse engineering of ARM http://www.giovanni-rocca.com/i-want-to-be-an-arm-reverse-engineer/

Fake Antivirus app found on Google Play
https://blog.trustlook.com/security-app-rreview-lionmobi/

IOS Security - Web View XSS

https://www.allysonomalley.com/2019/05/31/seguridad-de-ios-web-view-xss/

Top Android malware threats - May 2019 http://skptr.me/malware_timeline_2019.html

Lookout has discovered 238 unique applications that include BeiTaPlugin adware with over 440 million installations on Google Play
https://blog.lookout.com/beitaplugin-adware

The idea of the new system is to turn Apple’s existing network of iPhones into a massive crowdsourced location tracking system. Every active iPhone will continuously monitor for BLE beacon messages that might be coming from a lost device. When it picks up one of these signals, the participating phone tags the data with its own current GPS location; then it sends the whole package up to Apple’s servers.
https://blog.cryptographyengineering.com/2019/06/05/how-does-apple-privately-find-your-offline-devices/amp/

Don't install these apps, they are still available on Google Play. These apps display unwanted after user unlocks device and hide from home menu.
These apps mostly impersonate Camera/Photo editor applications.
Source: https://twitter.com/LukasStefanko/status/1136568939239137280?s=19

Talk about 10 different Android malware families discovered on Google Play + analysis on Anubis Banking Trojan
https://youtu.be/4oSuv-kXWJI

PHONES INFECTED WITH BACKDOOR TROJAN
Impacted models include the Doogee BL7000, the M-Horse Pure 1, the Keecoo P11, and the VKworld Mix Plus.
https://www.zdnet.com/article/germany-backdoor-found-in-four-smartphone-models-20000-users-infected/

Preinstalled backdoor - Triada - found in Android devices.

Triada infects device system images through a third-party during the production process. Sometimes OEMs want to include features that aren’t part of the Android Open Source Project, such as face unlock. The OEM might partner with a third-party that can develop the desired feature and send the whole system image to that vendor for development.
https://security.googleblog.com/2019/06/pha-family-highlights-triada.html

“Digging Android Applications — Part 1 — Drozer + Burp” by Yasho https://link.medium.com/gVswDFdKlX

Anubis Android Bank Trojan technical analysis and recent activities summary (Chinese)
https://ti.qianxin.com/blog/articles/anubis-android-bank-trojan-technical-analysis-and-recent-activities-summary/