With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.

Threat info

  • DONOT, an Indian advanced persistent threat (APT) actor, has integrated the OneSignal push notification service into its mobile malware. It aims to deploy additional malware through push notifications for enhanced persistence. The malware samples abuse the Android’s accessibility service.
  • Firescam, an Android spyware masquerading as a Telegram Premium app, is distributed via a fake RuStore website — a popular app store in the Russian Federation. It exfiltrates sensitive data and monitors user activity. Firescam abuses legitimate Firebase services for command-and-control (C2) communications, data storage, and the deployment of additional malicious payloads.
  • The Gravy Analytics hack revealed the company’s data sources, which sell location data to both US government agencies and commercial companies. Gravy Analytics, or its third-party suppliers, monitored and harvested over 12,000 mobile apps’ advertisement placement bidding streams to acquire user location data. App users and developers are likely not aware of this data collection practice. Popular free ad-supported streaming television (FAST) apps, including Pluto TV and Rakuten TV, as well as the Candy Crush gaming app, Tinder dating app, and MyFitnessPal fitness app, are prominent examples of the affected brands.
  • RedDelta, a Chinese advanced persistent threat (APT) actor, also known as Mustang Panda, targeted the developers of two Mongolian mobile applications.
  • Refund scams in the Middle East employ sophisticated social engineering tactics and remote access applications to steal credit card information and one-time passwords (OTP) from victims’ mobile phones.
  • Smishing has evolved to tackle the built-in phishing protections of Apple’s iMessage. Fraudsters have added a new trick to their phishing texts, for instance, “Please reply Y, then exit the text message, reopen the text message activation link, or copy the link to the Safari browser to open it.” A reply to the message will disable the protections and display the phishing link.
  • Star Blizzard, a Russian advanced persistent threat (APT) actor, started targeting WhatsApp accounts in its espionage operations. It sends an initial email to its targets containing a broken QR code that directs them to join a WhatsApp group. If a recipient replies to this email to complain about the non-functional QR code, a second email will be sent with a Safe Links-wrapped, shortened link to join the group. When the link is clicked, the target is redirected to a webpage including a functional QR code. However, this QR code links the WhatsApp account to a new device. If the target follows the instructions on the page, the threat actor will eventually gain access to the WhatsApp conversations.
  • The driving data of 45 million Americans is being unlawfully collected to create the world’s largest driving behavior database, according to the proceedings of a lawsuit filed by the Texas Attorney General. The data is acquired through an SDK embedded in four mobile apps without user knowledge. These apps are Routely, Life360, GasBuddy, and Fuel Rewards.
  • The global hacking campaign that targeted prominent American climate activists is being investigated by the Department of Justice. A lobbying firm allegedly orchestrated the hacking of their phones.
  • Toll scams are on the rise in the United States. The surge in smishing attacks coincides with the new release of a popular Chinese phishing kit. These kits are designed to steal information from victims to add their payment cards to mobile wallets for buying goods or laundering money.
  • The Tria Stealer campaign has been targeting Malaysia and Brunei since mid-2024. The Android spyware harvests SMS data, monitors call logs, retrieves messages (e.g., WhatsApp and WhatsApp Business), and gathers emails (e.g., Gmail and Outlook) from its victims. It exfiltrates the stolen data to multiple Telegram bots. The threat actor leverages this information to seize control of personal messaging accounts, impersonate account owners to solicit money transfers from their contacts, and possibly compromise victims’ other accounts.

Vulnerabilities & patches

  • Apple has patched its first zero-day (CVE-2025-24085) in 2025. It is a use-after-free flaw in the Core Media framework that defines the media pipeline on Apple platforms. It was addressed with improved memory management.
  • RANsacked, a domain-informed approach for fuzzing LTE and 5G RAN-Core interfaces, discovered 119 vulnerabilities that enable denial-of-service and memory-corruption attacks in LTE/5G core infrastructure.
  • Samsung has patched a zero-click out-of-bounds write vulnerability (CVE-2024-49415) that could allow remote attackers to execute arbitrary code on Samsung smartphones without requiring user interaction.
  • Clone2Leak attacks exploit a series of vulnerabilities in the handling of authentication messages between Git and its credential helper programs, which may lead to the exposure of user credentials and access tokens by a malicious repository. All vulnerabilities have been patched in GitHub Desktop 3.4.12, Git Credential Manager 2.6.1, Git LFS 3.6.1, and gh cli 2.63.0.
  • A group of security researchers has discovered new side-channel vulnerabilities (SLAP and FLOP) in Apple processors, which may compromise sensitive information from web browsers. Both are speculative execution attacks, and all iPhone models from September 2021 to date are affected.

Intelligence reports

  • The Recorded Future’s report explains how several countries in Central Asia (Belarus, Kazakhstan, Kyrgyzstan, and Uzbekistan) and Latin America (Cuba and Nicaragua) implement their digital surveillance capabilities based on Russia’s System for Operative Investigative Activities (SORM). Mobile network operators in these countries must install equipment that complies with SORM.
  • OWASP Top 10 for Large Language Model Applications 2025 highlights the risk of tampered large language models (LLMs) deployed on devices. AI applications should be protected against reverse engineering and repackaging attacks.
  • Anubis, Necro, and Hydra were the top three mobile malware threats in December, according to Check Point’s Most Wanted Malware Report.
  • Recorded Future’s Insikt Group predicts in the 2024 Annual Report that one of the high-impact cyber incidents of 2025 will be related to mobile malware. This is anticipated as certain environmental factors surpass critical thresholds, such as the widespread use of mobile devices to access sensitive corporate and financial information.
  • The Android Security and Privacy team banned more than 158,000 malicious developer accounts and prevented 2.36 million policy-violating apps from being published on the Google Play Store in 2024. It indicates a 53% decrease in malicious developer accounts and a 4% increase in policy-violating apps compared to 2023. Most of the human reviews for harmful apps were assisted by AI, and 1.3 million apps were prevented from obtaining excessive or unnecessary permissions to sensitive user data. Additionally, Google Play Protect’s real-time scanning detected over 13 million new malicious apps from outside Google Play in the past year.
  • The Google Threat Intelligence Group’s Adversarial Misuse of Generative AI Report reveals that Iranian advanced persistent threat (APT) actors utilize Gemini to explore techniques for extracting data from Android devices, such as SMS messages, accounts, contacts, and social media profiles.
  • The Spamhaus Botnet Threat Update for July to December 2024 states that Android backdoors continue to rank as the third most popular type of malware, driven by a 152% surge in Coper infections. Coper is also known as ExobotCompact and Octo.