With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.

Threat info

  • Anatsa, an Android banking trojan also known as TeaBot, has expanded to new countries in a recent campaign. In addition to the previous targets of the UK, Germany, and Spain, Anatsa is now seen in Czechia, Slovakia, and Slovenia. It abuses Android’s Accessibility service and executes fraudulent transactions within the victim’s device. 
  • GoldPickaxe, the latest variant of Golddigger Android banking trojan family from the GoldFactory threat group, has become more powerful with the capability of targeting both Android and iOS platforms. The threat actor developed two different versions of the malware to be able to attack mobile banking users in Thailand and probably Vietnam, regardless of the platform. Most notably, it presents emerging techniques to bypass the newly introduced facial biometric verification security measure used in banking transactions in Thailand. The Android version of the trojan abuses the Accessibility service and performs overlay attacks.
  • I-Soon, a contractor for Chinese state agencies for foreign hacking and espionage campaigns, had a security breach. A rich collection of internal documents showing the services that the tech company offers, including spying on Android and iOS devices, was leaked.
  • Joker, an Android RAT also known as Copybara, has been used in an active attack campaign targeting Spain, Italy, and the UK. Victims are directed to a phishing website impersonating famous banks, and they sideload a fake banking app with the help of smishing and vishing social engineering techniques. This app carries the Joker trojan and performs on-device fraud (ODF), which does not leave traditional risk traces behind and poses a real challenge for anti-fraud systems in financial institutions. It abuses Android’s Accessibility service and performs standard attacks like overlay, keylogging, and remote control (VNC).
  • Relationship chatbot apps, powered by large language models (LLMs), are bad at privacy.
  • Samecoin, an attack campaign that tricks Israeli citizens by impersonating the Israeli National Cyber Directorate, distributes an Android malicious app and wipes the victims’ mobile phones.
  • Smart ski and bike helmet apps from a popular brand have a simple security design flaw that exposes their users’ real-time location data and audio chats.
  • SpyNote Android RAT spreads via fake video conferencing apps impersonating Google Meet, Skype, and Zoom in a new attack campaign. All websites used in the distribution of fake apps were hosted on the same IP address, and all content was written in Russian, which provides an insight into the people being targeted in this campaign.
  • Teabot, an Android banking trojan also known as Anatsa, increased its activity in several European countries. It spreads through a dropper app in the Google Play Store and performs account takeover (ATO) fraud to steal from its victims by misusing the Accessibility permissions.
  • VoltSchemer attack demonstrates a novel way for injecting inaudible voice commands into a charging smartphone’s voice assistant by just manipulating the power source of the wireless charger.

Vulnerabilities & patches

  • The open-source Wi-Fi client (wpa_supplicant) on all Android devices has an authentication flaw (CVE-2023-52160) that allows a victim to be tricked into connecting to a rogue clone of an enterprise Wi-Fi network.
  • Apple’s default automation app, Shortcuts, has a vulnerability (CVE-2024-23204) that enables an attacker to access sensitive data without prompting a permission request. It was fixed in the iOS 17.3 release.
  • Apple patched two actively exploited zero-days (CVE-2024-23225 and CVE-2024-23296) in the iOS 17.4 and iOS 16.7.6 releases. Both vulnerabilities let an attacker with arbitrary kernel read and write capabilities to bypass kernel memory protections. Both issues were addressed with improved validation.
  • CISA adds CVE-2023-21237 to its known exploited vulnerabilities catalog. It is a flaw in the Android framework component that leads to the disclosure of sensitive information. It was patched in June 2023.

Intelligence reports

  • Meta’s Adversarial Threat Report Q4 2023 shares comprehensive insights into the operations of the eight surveillance-for-hire companies targeting Windows, Android, and iOS users. Their mobile spyware can exfiltrate various data (device information, location, photos and media, contacts, calendar, email, SMS, social media, and messaging apps) and control microphone, camera, and screenshot functionality.
  • Anubis, AhMyth, and Hiddad were the top three mobile malwares in January 2024, according to Check Point’s Most Wanted Malware Report.
  • Kaspersky’s mobile malware threat landscape report shows ~33.8 million malware, adware, and riskware attacks prevented in 2023. The most common threat was adware, with ~41% of the 1.3 million unique malicious installation packages; riskware was second, and Android banking trojan was third with ~27% and ~12%, respectively.
  • According to Checkpoint’s 2024 Cyber Security report, Anubis (16%), AhMyth (13%), and Pandora (9%) were the top three global mobile malwares of 2023. Anubis was the leader in the EMEA region with a 22% share, AhMyth in the APAC with 21%, and Pandora in the Americas with 26%.
  • The Recorded Future’s Insikt Group reports a new Predator mobile spyware delivery infrastructure network, used by eleven countries. Despite the public criticism of abusive usage, minimal changes in the Predator surveillance operation indicate a continuing threat.  
  • CloudSEK’s report reveals the money laundering operation of Chinese cybercriminals through the Indian banking system using a web of money mules. This large-scale money laundering scheme is orchestrated merely via an Android app.