With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.

Threat info

  • Brokewell Android banking trojan has extensive device takeover capabilities, although it is still in the active development phase and getting updates daily. Like most Android banking malware, it can perform overlay attacks by abusing Android’s accessibility service. Additionally, cybercriminals behind the Brokewell operations developed a loader to bypass Android 13+ countermeasures against accessibility service abuse and open-sourced it.
  • Dirty stream attack exploits a path traversal vulnerability found in popular Android applications, downloaded more than four billion times from the Google Play Store, that enables a malicious app to overwrite files in the target application’s home directory. Depending on the vulnerable app’s implementation, arbitrary code execution and token theft are also possible. 
  • LightSpy iOS spyware campaign targets Southern Asia and probably India. It steals personal documents and files from apps, stealthily records ambient sounds from the device’s microphone and takes pictures using the camera, monitors user activity, and retrieves sensitive data from the user’s secure storage.
  • Masquerading as a well-known app is a widespread tactic for Android remote access trojans to trick victims into installing them. Some use on-device phishing as the main attack vector. They request accessibility service and device admin permissions. Fake login forms of targeted brands appear on the device screen from time to time to steal user credentials.
  • Mercenary spyware attack warnings were sent to iPhone users in 92 countries by Apple. These sophisticated attacks are very targeted and often used for surveillance of journalists, activists, politicians, or diplomats by nation-states.
  • SIM swapping lures are being offered to American telecommunications company employees to tempt them to perform illegal SIM swaps. Cybercriminals receive two-factor authentication codes sent to a victim afterward and take over the victim’s accounts.
  • Smishing campaigns of unpaid toll scams are seen in three states of the USA.
  • SoumniBot, an Android banking trojan, targets mobile banking users in Korea. Its developers applied unconventional obfuscation techniques to the manifest file, which led to evading detection of off-the-shelf tools. Notably, this banking trojan finds and exfiltrates digital certificates, such as those used to sign in to online banking accounts or execute transactions.
  • Storm-0539 threat actor targets US retail corporate employees with sophisticated phishing attacks on their personal and work mobile devices. Once an employee’s credentials are compromised, adversaries access and gather information on the business network to identify the gift card business processes and pivot to specific employees whose accounts enable attackers to create fraudulent gift cards.  
  • Vultur Android banking trojan campaign targets mobile banking users in Finland.
  • Wpeeper Android trojan utilizes compromised WordPress websites as a proxy to its actual command and control (C2) servers. This technique makes it difficult to track the C2 servers. Repackaged apps are used in the delivery of this malware to evade detection. A small implant in the repackaged app downloads the malicious payload. The attack campaign was aborted abruptly four days after observation; therefore, the intentions of the threat actor have not been truly understood yet.

Vulnerabilities & patches

  • CISA adds CVE-2023-7028, an improper access control vulnerability, to its Known Exploited Vulnerabilities Catalog. It enables an attacker to trigger password reset emails to an attacker-controlled email address and take over the victim’s GitLab account. All GitLab installations need to be urgently patched. Cybercriminals could breach organizations and execute software supply chain attacks by exploiting this vulnerability.
  • Android OS leaks DNS queries in certain scenarios even though Always-on VPN and Block connections without VPN options are enabled.
  • 20 vulnerabilities in various applications and system components of Xiaomi devices are disclosed. Xiaomi users must apply the latest updates.
  • Apple backported the fix for the actively exploited zero-day (CVE-2024-23296) to older iPhones in the iOS 16.7.8 release. This vulnerability allows attackers with arbitrary kernel read and write capabilities to bypass kernel memory protections. It was addressed with improved validation.

Intelligence reports