With a special focus on mobile apps and connected, unmanaged devices, this Cybersecurity Threat Roundup is compiled by Verimatrix Cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.

Threat info

  • Bogus QR codes pasted in small businesses in Singapore are used by cybercriminals to deliver malicious Android apps containing a banking trojan. After the initial access, malware easily drained the victims’ bank accounts. There have been at least 113 victims in Singapore who lost $445,000 in phishing scams since March.
  • Bouldspy is an Android spyware developed and used actively by the Iranian law-enforcement agencies. In addition to the common spyware features, it can also record voice calls over 16 different VoIP apps.
  • BrutePrint attack successfully cracks the fingerprint authentication of Android devices with $15 worth equipment. Researchers showcased the attack on eight different Android phone models, and it took between 45 minutes to 14 hours. The attack requires physical access to the phone and then enables an attacker to unlock the screen, make payments on apps, etc.
  • DogeRAT Android malware targets people in India via counterfeit versions of popular entertainment, social media and messaging apps.
  • Lemon Group’s criminal enterprise pre-infected almost 9 million mobile devices with a tampered Android system library in a supply chain attack. Threat actors monetized the infected devices in the business of SMS Phone Verified Accounts (PVA) services, proxy services, marketing services, advertisement fraud, and app installation services.
  • Predator, a powerful commercial Android spyware available for both iOS and Android, offers a wide range of information stealing, surveillance, and remote-access capabilities. Notably, its loader, Alien, can stop selected applications running in the background upon device reboot – a common technique observed in mobile malware to impair defenses.
  • Stolen mobile phones pose a threat to mobile banking apps. £73,000 was stolen from a victim in the UK.

Vulnerabilities & patches

  • Kids Place is a parental control app for Android phones with more than 5 million downloads. Researchers identified multiple vulnerabilities (CVE-2023-29079, CVE-2023-29078 and CVE-2023-28153) in the app. All the issues were patched in version 3.8.50. 
  • Expo framework enables application developers to create native iOS, Android, and web applications from a single codebase. A critical security flaw (CVE-2023-28131) in the Open Authorization (OAuth) implementation of the framework was mitigated by a hotfix.

Intelligence reports

  • Meta reported the actions taken against a Pakistan-based, state-sponsored advanced persistent threat (APT), the Bahamut APT and the Patchwork APT groups in the Quarterly Adversarial Threat Report Q1 2023. These groups use Facebook and Instagram for social engineering their targets to deliver malicious Android apps.
  • According to the LexisNexis Risk Solutions Cybercrime Report 2022, mobile apps have become the preferred channel for digital transactions (63% of 79.8 billion transactions in 2022). Mobile apps also exhibited the highest year-over-year (YOY) growth in attack rate with a 58% increase.