40562
Mobile cybersecurity channel Links: https://linktr.ee/mobilehacker Contact: mobilehackerofficial@gmail.com
PoC to takeover Android using another Android by exploiting critical Bluetooth vulnerability to install Metasploit without proper Bluetooth pairing (CVE-2023-45866). It still affects Android 10 and bellow.
https://www.mobile-hacker.com/2024/01/23/exploiting-0-click-android-bluetooth-vulnerability-to-inject-keystrokes-without-pairing/
Mobile Banking Heists Report 2023: 29 Malware Families Targeting 1,800 Mobile Banking Apps
Читать полностью…
MavenGate: a supply chain attack method for Java and Android applications
https://blog.oversecured.com/Introducing-MavenGate-a-supply-chain-attack-method-for-Java-and-Android-applications/
XSS & Command Injection in Android — MobileHackingLab ‘Post Board’ Write-up
https://ajmal-moochingal.medium.com/xss-command-injection-in-android-mobilehackinglab-post-board-write-up-ae9497829615
Deobfuscating Android ARM64 strings with Ghidra: Emulating, Patching, and Automating
https://blog.nviso.eu/2024/01/15/deobfuscating-android-arm64-strings-with-ghidra-emulating-patching-and-automating/
GrapheneOS: Frequent Android auto-reboots block firmware exploits
https://www.bleepingcomputer.com/news/security/grapheneos-frequent-android-auto-reboots-block-firmware-exploits/
Android DeviceVersionFragment.java Privilege Escalation Exploit for Pixel Watch (CVE-2023-48418)
https://0day.today/exploit/description/39237
Portable Flipper Zero detector
Now you can detect any Flipper Zeros and BLE advertisement spam attacks in vicinity using Android Bluetooth LE Spam app
https://www.mobile-hacker.com/2024/01/09/how-to-detect-flipper-zero-and-bluetooth-advertisement-attacks/
A PoC for the CVE-2023-32530, for iOS/MacOS from Operation Triangulation discovered by Kaspersky
- Tested on: iOS 16.3, 16.3.1, 16.4 and 16.5 (iPhone 14 Pro Max) and macOS 13.1 and 13.4 (MacBook Air M2 2022)
- Fixed in iOS 16.5.1 and macOS 13.4.1
https://github.com/felix-pb/kfd/blob/main/writeups/smith.md
Frida Android Helper: Several handy commands to facilitate common Android pentesting tasks
https://github.com/Hamz-a/frida-android-helper
Vooki - Free Android APK & API Vulnerability Scanner(Yaazhini)
https://www.vegabird.com/yaazhini/
Bypass SSL Pinning for Flutter
prasad508/bypass-ssl-pinning-for-flutter-a2f9ae85762e" rel="nofollow">https://medium.com/@prasad508/bypass-ssl-pinning-for-flutter-a2f9ae85762e
Android Deep Links exploitation
https://z4ki.medium.com/android-deep-links-exploitation-4abade4d45b4
Flutter Spy: Explore, analyze, and gain valuable data & insights from reverse engineered Flutter apps.
https://github.com/anasfik/flutter-spy
Owning a company from its mobile app
https://ahmdhalabi.medium.com/the-art-of-chaining-vulnerabilities-e65382b7c627
Mobile malware analysis for the BBC of TeaBot (Anatsa) banking trojan impersonating PDF AI: Add-On app
https://www.pentestpartners.com/security-blog/mobile-malware-analysis-for-the-bbc/
Getting Started with iOS Penetration Testing — Part 1: The Setup
https://sahil-security-nerd07.medium.com/getting-started-with-ios-penetration-testing-part-1-the-setup-e322c73ab9a0
Bigpanzi botnet infects 170,000 Android TV boxes with malware
https://blog.xlab.qianxin.com/bigpanzi-exposed-hidden-cyber-threat-behind-your-stb/
A lightweight method to detect potential iOS malware
https://securelist.com/shutdown-log-lightweight-ios-malware-detection-method/111734/
Xiaomi HyperOS BootLoader Bypass
A PoC that exploits a vulnerability to bypass the Xiaomi HyperOS community restrictions of BootLoader unlocked account bindings
https://github.com/MlgmXyysd/Xiaomi-HyperOS-BootLoader-Bypass#xiaomi-hyperos-bootloader-bypass
Financial Fraud APK Campaign targeting Chinese users
https://unit42.paloaltonetworks.com/malicious-apks-steal-pii-from-chinese-users/
Analysis of iOS Info Stealer malware distributed via phishing website
icebre4ker/analysis-of-an-info-stealer-chapter-2-the-ios-app-0529e7b45405" rel="nofollow">https://medium.com/@icebre4ker/analysis-of-an-info-stealer-chapter-2-the-ios-app-0529e7b45405
MyEstatePoint Property Search app leaked data on nearly half a million of its users, exposing their names and plain-text passwords
https://cybernews.com/security/myestatepoint-property-search-app-data-leak/
Path traversal to RCE in Android — Mobile Hacking Lab ‘Document Viewer’ write-up
https://ajmal-moochingal.medium.com/path-traversal-to-rce-in-android-mobile-hacking-lab-document-viewer-write-up-ef9226aea1ac
Looking at an unfixed iOS vulnerability
https://joshua.hu/apple-ios-patched-unpatched-vulnerabilities
Frinet: Tracing the execution of a specific function in a userland process, on a Frida-compatible system (Tested on Linux/Android/iOS/Windows)
https://github.com/synacktiv/frinet
Exploring Info.plist: Essential Knowledge for iOS Reverse Engineering
https://youtu.be/KL899jMSD8w
Code and hardware for Tamarin-C, the iPhone 15 USB-C exploration tool
https://github.com/stacksmashing/tamarin-c
Operation Triangulation: The last (hardware) mystery
https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/
Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware
https://blog.talosintelligence.com/intellexa-and-cytrox-intel-agency-grade-spyware/