Android | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have uncovered new Android malware that can relay victims' contactless payment data from physical credit and debit cards to an attacker-controlled device with the goal of conducting fraudulent operations. The Slovak cybersecurity company is tracking the novel malware as NGate, stating it observed the crimeware campaign targeting three banks in Czechia. The malware "has the unique ability to relay data from victims' payment cards, via a malicious app installed on their Android devices, to the attacker's rooted Android phone," researchers Lukáš Štefanko and Jakub Osmani said in an analysis. The activity is part of a broader campaign that has been found to target financial institutions in Czechia since November 2023 using malicious progressive web apps (PWAs) and WebAPKs. The first recorded use of NGate was in March 2024. The end goal of the attacks is to clone near-field communication (NFC) data from victims' physical payment ca

A large percentage of Google's own Pixel devices shipped globally since September 2017 included dormant software that could be used to stage nefarious attacks and deliver various kinds of malware. The issue manifests in the form of a pre-installed Android app called "Showcase.apk" that comes with excessive system privileges, including the ability to remotely execute code and install arbitrary packages on the device, according to mobile security firm iVerify. "The application downloads a configuration file over an unsecure connection and can be manipulated to execute code at the system level," it said in an analysis published jointly with Palantir Technologies and Trail of Bits. "The application retrieves the configuration file from a single U.S.-based, AWS-hosted domain over unsecured HTTP, which leaves the configuration vulnerable and can make the device vulnerable." The app in question is called Verizon Retail Demo Mode ("com.customermob

Want to know what's the latest and greatest in SecOps for 2024? Gartner's recently released Hype Cycle for Security Operations report takes important steps to organize and mature the domain of Continuous Threat Exposure Management, aka CTEM. Three categories within this domain are included in this year's report: Threat Exposure Management, Exposure Assessment Platforms (EAP), and Adversarial Exposure Validation (AEV). These category definitions are aimed at providing some structure to the evolving landscape of exposure management technologies. Pentera, listed as a sample vendor in the newly defined AEV category, is playing a pivotal role in increasing the adoption of CTEM, with a focus on security validation. Following is our take on the CTEM related product categories and what they mean for enterprise security leaders. The Industry is Maturing CTEM, coined by Gartner in 2022, presents a structural approach for continuously assessing, prioritizing, validating, and remediating expo

Microsoft on Thursday disclosed four medium-severity security flaws in the open-source OpenVPN software that could be chained to achieve remote code execution (RCE) and local privilege escalation (LPE). "This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information," Vladimir Tokarev of the Microsoft Threat Intelligence Community said . That said, the exploit, presented by Black Hat USA 2024, requires user authentication and an advanced understanding of OpenVPN's inner workings. The flaws affect all versions of OpenVPN prior to version 2.6.10 and 2.5.10. The list of vulnerabilities is as follows - CVE-2024-27459 - A stack overflow vulnerability leading to a Denial-of-service (DoS) and LPE in Windows CVE-2024-24974 - Unauthorized access to the "\\openvpn\\service" named pipe in Windows, allowing an attacker to remotely inte

Cybersecurity researchers have lifted the lid on a new technique adopted by threat actors behind the Chameleon Android banking trojan targeting users in Canada by masquerading as a Customer Relationship Management (CRM) app. "Chameleon was seen masquerading as a CRM app, targeting a Canadian restaurant chain operating internationally," Dutch security outfit ThreatFabric said in a technical report published Monday. The campaign, spotted in July 2024, targeted customers in Canada and Europe, indicating an expansion of its victimology footprint from Australia, Italy, Poland, and the U.K. The use of CRM-related themes for the malicious dropper apps containing the malware points to the targets being customers in the hospitality sector and Business-to-Consumer (B2C) employees. The dropper artifacts are also designed to bypass Restricted Settings imposed by Google in Android 13 and later in order to prevent sideloaded apps from requesting for dangerous permissions (e.g., acc

Users in Russia have been the target of a previously undocumented Android post-compromise spyware called LianSpy since at least 2021. Cybersecurity vendor Kaspersky, which discovered the malware in March 2024, noted its use of Yandex Cloud, a Russian cloud service, for command-and-control (C2) communications as a way to avoid having a dedicated infrastructure and evade detection. "This threat is equipped to capture screencasts, exfiltrate user files, and harvest call logs and app lists," security researcher Dmitry Kalinin said in a new technical report published Monday. It's currently not clear how the spyware is distributed, but the Russian company said it's likely deployed through either an unknown security flaw or direct physical access to the target phone. The malware-laced apps are disguised as Alipay or an Android system service. LianSpy, once activated, determines if it's running as a system app to operate in the background using administrator privi

Google has addressed a high-severity security flaw impacting the Android kernel that it said has been actively exploited in the wild. The vulnerability, tracked as CVE-2024-36971, has been described as a case of remote code execution impacting the kernel. "There are indications that CVE-2024-36971 may be under limited, targeted exploitation," the tech giant noted in its monthly Android security bulletin for August 2024. As is typically the case, the company did not share any additional specifics on the nature of the cyber attacks exploiting the flaw or attribute the activity to a particular threat actor or group. Google's own Pixel line is also impacted by the bug, according to its Pixel update bulletin . That said, Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw, suggesting that it's likely being exploited by commercial spyware vendors to infiltrate Android devices in narrowly targeted attacks. The Augus

Cybersecurity researchers have discovered a new Android banking trojan called BlankBot targeting Turkish users with an aim to steal financial information. "BlankBot features a range of malicious capabilities, which include customer injections, keylogging, screen recording and it communicates with a control server over a WebSocket connection," Intel 471 said in an analysis published last week. Discovered on July 24, 2024, BlankBot is said to be undergoing active development, with the malware abusing Android's accessibility services permissions to obtain full control over the infected devices. The names of some of the malicious APK files containing BlankBot are listed below - app-release.apk (com.abcdefg.w568b) app-release.apk (com.abcdef.w568b) app-release-signed (14).apk (com.whatsapp.chma14) app.apk (com.whatsapp.chma14p) app.apk (com.whatsapp.w568bp) showcuu.apk (com.whatsapp.w568b) Like the recently resurfaced Mandrake Android trojan, BlankBot implement

A new malicious campaign has been observed making use of malicious Android apps to steal users' SMS messages since at least February 2022 as part of a large-scale campaign. The malicious apps, spanning over 107,000 unique samples, are designed to intercept one-time passwords (OTPs) used for online account verification to commit identity fraud. "Of those 107,000 malware samples, over 99,000 of these applications are/were unknown and unavailable in generally available repositories," mobile security firm Zimperium said in a report shared with The Hacker News. "This malware was monitoring one-time password messages across over 600 global brands, with some brands having user counts in the hundreds of millions of users." Victims of the campaign have been detected in 113 countries, with India and Russia topping the list, followed by Brazil, Mexico, the U.S., Ukraine, Spain, and Turkey. The starting point of the attack is the installation of a malicious app that

A new iteration of a sophisticated Android spyware called Mandrake has been discovered in five applications that were available for download from the Google Play Store and remained undetected for two years. The applications attracted a total of more than 32,000 installations before being pulled from the app storefront, Kaspersky said in a Monday write-up. A majority of the downloads originated from Canada, Germany, Italy, Mexico, Spain, Peru, and the U.K. "The new samples included new layers of obfuscation and evasion techniques, such as moving malicious functionality to obfuscated native libraries, using certificate pinning for C2 communications, and performing a wide array of tests to check if Mandrake was running on a rooted device or in an emulated environment," researchers Tatyana Shishkova and Igor Golovin said . Mandrake was first documented by Romanian cybersecurity vendor Bitdefender in May 2020, describing its deliberate approach to infect a handful of devices

A zero-day security flaw in Telegram's mobile app for Android called EvilVideo made it possible for attackers to malicious files disguised as harmless-looking videos. The exploit appeared for sale for an unknown price in an underground forum on June 6, 2024, ESET said. Following responsible disclosure on June 26, the issue was addressed by Telegram in version 10.14.5 released on July 11. "Attackers could share malicious Android payloads via Telegram channels, groups, and chat, and make them appear as multimedia files," security researcher Lukáš Štefanko said in a report. It's believed that the payload is concocted using Telegram's application programming interface ( API ), which allows for programmatic uploads of multimedia files to chats and channels. In doing so, it enables an attacker to camouflage a malicious APK file as a 30-second video.  Users who click on the video are displayed an actual warning message stating the video cannot be played and urges t

A suspected pro-Houthi threat group targeted at least three humanitarian organizations in Yemen with Android spyware designed to harvest sensitive information. These attacks, attributed to an activity cluster codenamed OilAlpha , entail a new set of malicious mobile apps that come with their own supporting infrastructure, Recorded Future's Insikt Group said . Targets of the ongoing campaign include, CARE International, the Norwegian Refugee Council (NRC), and the Saudi Arabian King Salman Humanitarian Aid and Relief Centre. "The OilAlpha threat group is highly likely active and executing targeted activity against humanitarian and human rights organizations operating in Yemen, and potentially throughout the Middle East," the cybersecurity company said. OilAlpha was first documented in May 2023 in connection with an espionage campaign targeting development, humanitarian, media, and non-governmental organizations in the Arabian peninsula. These attacks leveraged What

Military personnel from Middle East countries are the target of an ongoing surveillanceware operation that delivers an Android data-gathering tool called GuardZoo . The campaign , believed to have commenced as early as October 2019, has been attributed to a Houthi-aligned threat actor based on the application lures, command-and-control (C2) server logs, targeting footprint, and the attack infrastructure location, according to Lookout. More than 450 victims have been impacted by the malicious activity, with targets located in Egypt, Oman, Qatar, Saudi Arabia, Turkey, the U.A.E., and Yemen. Telemetry data indicates that most of the infections have been recorded in Yemen. GuardZoo is a modified version of an Android remote access trojan (RAT) named Dendroid RAT that was first discovered by Broadcom-owned Symantec in March 2014. The entire source code associated with the crimeware solution was leaked later that August. Originally marketed as a commodity malware for a one-off price

The threat actor known as Transparent Tribe has continued to unleash malware-laced Android apps as part of a social engineering campaign to target individuals of interest. "These APKs continue the group's trend of embedding spyware into curated video browsing applications, with a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans," SentinelOne security researcher Alex Delamotte said in a new report shared with The Hacker News. The campaign, dubbed CapraTube, was first outlined by the cybersecurity company in September 2023, with the hacking crew employing weaponized Android apps impersonating legitimate apps like YouTube to deliver a spyware called CapraRAT, a modified version of AndroRAT with capabilities to capture a wide range of sensitive data. Transparent Tribe, suspected to be of Pakistan origin, has leveraged CapraRAT for over two years in attacks targeting the Indian government and military personnel. The group has a history of lea

Multiple threat actors, including cyber espionage groups, are employing an open-source Android remote administration tool called Rafel RAT to meet their operational objectives by masquerading it as Instagram, WhatsApp, and various e-commerce and antivirus apps. "It provides malicious actors with a powerful toolkit for remote administration and control, enabling a range of malicious activities from data theft to device manipulation," Check Point said in an analysis published last week. It boasts a wide range of features, such as the ability to wipe SD cards, delete call logs, siphon notifications, and even act as ransomware. The use of Rafel RAT by DoNot Team (aka APT-C-35, Brainworm, and Origami Elephant) was previously highlighted by the Israeli cybersecurity company in cyber attacks that leveraged a design flaw in Foxit PDF Reader to trick users into downloading malicious payloads. The campaign, which took place in April 2024, is said to have utilized military-them

The Singapore Police Force (SPF) has announced the extradition of two men from Malaysia for their alleged involvement in a mobile malware campaign targeting citizens in the country since June 2023. The unnamed individuals, aged 26 and 47, engaged in scams that tricked unsuspecting users into downloading malicious apps onto their Android devices via phishing campaigns with the aim of stealing their personal data and banking credentials. The stolen information was subsequently used to initiate fraudulent transactions on the victims' banking accounts, resulting in financial losses. Following a seven-months-long investigation that was launched in November 2023 in partnership with the Hong Kong Police Force (HKPF) and the Royal Malaysia Police (RMP), the SPF said it found evidence linking the two men to a syndicate responsible for carrying out malware-enabled scams. "The two men [...] allegedly operated servers for the purposes of infecting victims' Android mobile phones w

Arm is warning of a security vulnerability impacting Mali GPU Kernel Driver that it said has been actively exploited in the wild. Tracked as CVE-2024-4610 , the use-after-free issue impacts the following products - Bifrost GPU Kernel Driver (all versions from r34p0 to r40p0) Valhall GPU Kernel Driver (all versions from r34p0 to r40p0) "A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory," the company said in an advisory last week. The vulnerability has been addressed in Bifrost and Valhall GPU Kernel Driver r41p0. It's worth noting that this version was released on November 24, 2022. The current version of the drivers is r49p0, which was shipped in April 2024. When reached for comment, Arm told The Hacker News that while it was addressed in 2022, it was provided additional information that reclassified the problem as a security vulnerability. "In 2022 Arm fixed a weakness in the r41p0 re

Brazilian banking institutions are the target of a new campaign that distributes a custom variant of the Windows-based AllaKore remote access trojan (RAT) called AllaSenha . The malware is "specifically aimed at stealing credentials that are required to access Brazilian bank accounts, [and] leverages Azure cloud as command-and-control (C2) infrastructure," French cybersecurity company HarfangLab said in a technical analysis. Targets of the campaign include banks such as Banco do Brasil, Bradesco, Banco Safra, Caixa Econômica Federal, Itaú Unibanco, Sicoob, and Sicredi. The initial access vector, though not definitively confirmed, points towards the use of malicious links in phishing messages. The starting point of the attack is a malicious Windows shortcut (LNK) file that masquerades as a PDF document ("NotaFiscal.pdf.lnk") hosted on a WebDAV server since at least March 2024. There is also evidence to suggest that the threat actors behind the activity previous