40562
Mobile cybersecurity channel Links: https://linktr.ee/mobilehacker Contact: mobilehackerofficial@gmail.com
[BlackHat Asia 2024] Analysing a NSO iOS Spyware Sample
https://www.blackhat.com/asia-24/briefings/schedule/?s=03#you-shall-not-pass---analysing-a-nso-ios-spyware-sample-37980
[slides] https://i.blackhat.com/Asia-24/Asia-24-Frielingsdorf-YouShallNotPassAnalysing.pdf
Element Android CVE-2024-26131, CVE-2024-26132 - Never Take Intents From Strangers
https://www.shielder.com/blog/2024/04/element-android-cve-2024-26131-cve-2024-26132-never-take-intents-from-strangers/
SoumniBot: the new Android banker’s unique techniques
https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/
ANDROID SUPPLY CHAIN VALIDATION CHEAT SHEET
This cheat sheet is based on the work performed on Android TV devices (we documented our steps in the post Android TV Devices: Pre-0wned Supply Chain Security Threats)
https://eclypsium.com/blog/android-supply-chain-validation-cheat-sheet/
Threat actor "Starry Addax" targets human rights defenders in North Africa with new Android malware
https://blog.talosintelligence.com/starry-addax/
Hornet dating app with over 10 million installs had vulnerabilities, allowing precise location determination of their users, even with distance display being disabled
https://research.checkpoint.com/2024/the-illusion-of-privacy-geolocation-risks-in-modern-dating-apps/
Google fixed 2 Pixel vulnerabilities which are being actively exploited in the wild by forensic companies
CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking. Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory.
CVE-2024-29748 refers to a vulnerability providing the ability to interrupt a factory reset triggered by a device admin app. It appears they've implemented a partial solution in firmware.
https://discuss.grapheneos.org/d/11860-vulnerabilities-exploited-in-the-wild-fixed-based-on-grapheneos-reports
After almost 7 years, new version of drozer compatible with Python 3 and modern Java was released.
If you don't know, drozer was a very popular security testing framework for Android
https://github.com/WithSecureLabs/drozer
A Year in Review of Zero-Days Exploited In-the-Wild in 2023
-In 2023, there were 97 zero-day vulnerabilities exploited, a significant rise of over 50% compared to 2022 (62 vulnerabilities)
-Espionage was the primary motive behind 48 out of 58 zero-day vulnerabilities analyzed
-Most of the zero-day vulnerabilities found last year were in phones, operating systems, and web browsers
https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Year_in_Review_of_ZeroDays.pdf
Address Sanitizer for Bare-metal Firmware
This led to early discovery of memory corruption issues that were easily remediated due to the actionable reports produced by KASan. These builds can be used with fuzzers to detect edge case bugs
https://security.googleblog.com/2024/03/address-sanitizer-for-bare-metal.html
BlueDucky automates exploitation of Bluetooth pairing vulnerability that leads to 0-click code execution
▪️automatically scans for devices
▪️store MAC addresses of devices that are no longer visible but have enabled Bluetooth
▪️uses Rubber Ducky payloads
https://www.mobile-hacker.com/2024/03/26/blueducky-automates-exploitation-of-bluetooth-pairing-vulnerability-that-leads-to-0-click-code-execution/
Bluetooth vulnerability allows unauthorized user to record & play audio on Bluetooth speaker via #BlueSpy
Prevention section explains how you can check if your Bluetooth LE speakers/headsets are vulnerable to this attack using nRF Connect app
https://www.mobile-hacker.com/2024/03/22/bluetooth-vulnerability-allows-unauthorized-user-to-record-and-play-audio-on-bluetooth-speakers/
Android crimeware reports on Tambir, Dwphon and Gigabud malware families
https://securelist.com/crimeware-report-android-malware/112121/
The complexity of reversing Flutter applications
https://www.fortiguard.com/events/5403/nullcon-berlin-2024-the-complexity-of-reversing-flutter-applications
[slides] https://filestore.fortinet.com/fortiguard/research/nullcon.pdf
A vulnerability (CVE-2023-6241) in the Arm Mali GPU to gain arbitrary kernel code execution from an untrusted app on a Pixel 8 with MTE enabled
https://github.blog/2024-03-18-gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/
XAgent Spyware Targeting iOS Devices in Western Europe: Analysis of Capabilities
https://www.linkedin.com/pulse/xagent-spyware-targeting-ios-devices-western-europe-dmitry-bestuzhev-xunle
Breaking Custom Encryption Using Frida
https://labs.cognisys.group/posts/Breaking-Custom-Ecryption-Using-Frida-Mobile-Application-pentesting/
iOS LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India
https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india
Active Android espionage campaign targeting users mainly in India and Pakistan with apps bundled with the XploitSPY malware posing mostly as messaging services - even available on Google Play Store
https://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/
Bypassing anti-reversing defences in iOS applications
https://twelvesec.com/2023/10/10/bypassing-anti-reversing-defences-in-ios-applications/
How charging your phone can compromise your data using three types of Juice Jacking attack
https://www.mobile-hacker.com/2024/04/04/how-charging-your-phone-can-compromise-your-data-using-juice-jacking-attack/
Technical analysis of Android malware Vultur
https://research.nccgroup.com/2024/03/28/android-malware-vultur-expands-its-wingspan/
Demonstration of using BlueDucky to exploit 0-click Bluetooth vulnerability of unpatched Android smartphone (CVE-2023-45866)
Exploit was triggered by Raspberry Pi 4 and then by Android running NetHunter
https://youtu.be/GOGW7U1f2RA
Malicious proxy malware was found in 28 apps available on Google Play Store. These trojanized apps were overall installed over 3,240,000 times
https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-proxylib-and-lumiapps-transform-mobile-devices-into-proxy-nodes
Detecting Banker Malware Installed on Android Devices
https://itnext.io/detecting-banker-malware-installed-on-android-devices-4c96287138e2
SSRF in Mobile Security Framework (MobSF) version 3.9.5 Beta and prior (CVE-2024-29190)
MobSF does not perform any input validation when extracting the hostnames in android:host, so requests can also be sent to local hostnames. This can lead to server-side request forgery (SSRF). An attacker can cause the server to make a connection to internal-only services within the organization's infrastructure
https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wfgj-wrgh-h3r3
Oversecured published vulnerability scan reports for 225 Google-owned apps
https://blog.oversecured.com/Oversecured-Apps-Care-Part-1-Vulnerability-disclosure-of-225-Google-apps/
[Questionnaire] We are writing here to get some insights from dedicated malware analysis experts. We are a group of experienced researchers, and we developed a state-of-the-art sandbox for Android malware. We are absolutely convinced that it makes sense to bring this technology to the market, but we need to picture your biggest sandbox needs in your daily work. The idea is to grasp what are, in your eyes, the must-haves of a sandbox. Our goal is to shape the product accordingly and make it available in the forthcoming months/next few months. To this end, we prepared a quick (approximately 15-minutes) questionnaire, and it would really mean a lot to us if you could share your valuable feedback. Thanks to this, we hope to offer you soon a gain of efficiency, time and energy in your job.
Questionnaire: https://forms.gle/qJ9ck8UH5WQK6jAZ8
Analysis of suspicious SMS that leads to install Android malware
https://labs.k7computing.com/index.php/suspicious-text-messages-alert/
Android Phishing Scam Using Malware-as-a-Service on the Rise in India
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-phishing-scam-using-malware-as-a-service-on-the-rise-in-india/