Cybersecurity Threat Roundup #21: DeepSeek, FinStealer, Graphite, and more

Threat info

• Carding—the trafficking and unauthorized use of credit cards—has been revived by Chinese cybercriminal groups. They load phished card data into mobile wallets that can be used both online and in physical retail stores. One such Chinese phishing group also sells an Android app called ZNFC, which can relay a valid NFC transaction from the wallet to any location worldwide.

• Cellebrite’s digital forensics tools were misused to break into the Android phone of a youth activist in Serbia. After the phone was unlocked, authorities attempted to install an unknown Android application, which was likely the NoviSpy spyware. The attack leveraged a sophisticated zero-day exploit chain—CVE-2024-53104, CVE-2024-53197, and CVE-2024-5030—targeting USB drivers in the Linux kernel.

• Cocospy and Spyic mobile stalkerware apps—used by 1.81 million and 880,167 customers, respectively—contain a vulnerability that exposes sensitive personal data from the apps’ servers, such as messages, photos, call logs, and more.

• Darcula Phishing Suite 3.0 introduces a new automated phishing site creation feature. Attackers can provide a brand URL, and the platform uses a browser automation tool to replicate the site’s original design and functionality. It also supports injecting a wide selection of phishing templates into the cloned site.

• DeepSeek AI iOS app poses significant security and privacy risks, including hard-coded encryption keys and the unencrypted transmission of sensitive user and device data to third-party Chinese companies. While not yet confirmed, similar flaws are expected to be found in the Android version. Several countries, including Australia, Italy, the Netherlands, Taiwan, and South Korea, as well as government agencies in India and the United States, have banned the DeepSeek apps. Meanwhile, fraudsters are exploiting DeepSeek’s popularity to lure users into scams and distribute malware.

• The FinStealer Android trojan is distributed through phishing campaigns and unofficial app stores. It impersonates Indian mobile banking apps to steal personal information and card details.

• Graphite, a mercenary spyware developed by Paragon Solutions, has been deployed against 90 WhatsApp users, including journalists and members of civil society. It was a zero-click infection that likely succeeded in compromising the targets, though the identity of the spyware’s operator remains unknown. Once Graphite infects a phone, the operator gains full access to the device, including the ability to read messages sent via encrypted apps like WhatsApp and Signal.

• The iCloud end-to-end encryption feature is no longer available to new users in the United Kingdom due to a government order requesting a backdoor to access Apple customers’ encrypted cloud data.

• LightSpy, a modular surveillance framework designed for data collection and exfiltration, has extended its capabilities to extract data from the database files of the Facebook and Instagram apps.

• The Marcher Android banking trojan has been distributed through fake web browser update pages by an emerging threat actor. It is an old banking trojan that has targeted Android devices since 2013.

• Quishing, or QR phishing, attacks may deliver the QR codes on unexpected packages left at doorsteps.

• RedNote, also known as Xiaohongshu, is a popular Chinese social media app with over 300 million active users. The app gained global attention after approximately three million U.S. users joined RedNote following the U.S. government’s decision to ban TikTok. Its Android and iOS apps were analyzed for network security issues, revealing multiple flaws. These include fetching viewed images and videos over HTTP, transmitting insufficiently encrypted device metadata, and a vulnerability that allows network attackers to access the contents of any files RedNote has permission to read on users’ devices. The second and third issues were introduced by third-party SDKs.

• Signal Messenger accounts belonging to individuals of interest to Russian intelligence services have increasingly been targeted by several Russian state-aligned threat actors. These actors often craft malicious QR codes that, when scanned, link a victim’s account to a Signal instance under their control. The latest Signal releases on Android and iOS contain hardened features designed to help protect against similar phishing campaigns.

• SparkCat spyware has been discovered in both Google Play and the Apple App Store. It scans the device’s image gallery and uses optical character recognition (OCR) to identify screenshots containing cryptocurrency wallet recovery phrases. The selected images are then exfiltrated. A total of 11 iOS and 18 Android apps have been linked to this malware campaign, which has been active since March 2024. Some of these apps were deliberately created for malicious purposes, while others were compromised through a supply-chain attack.

• SpyLend spyware targets Android users in India and is distributed through Google Play. Initially disguised as a harmless finance management application, it displays fraudulent loan apps via an external link when the user is located in India. Once a fraudulent app is installed, it harvests sensitive user data, enforces exploitative lending practices, and uses blackmail tactics to extort money.

• Spyrtacus, a mercenary spyware developed by the Italian company SIO, impersonates popular apps such as WhatsApp and customer support tools provided by cellular service providers. It is distributed through fake websites and is designed to steal sensitive data from the target’s device.

• TgToxic, an Android banking trojan, has enhanced its emulator detection capabilities and introduced a new command-and-control (C2) domain generation mechanism. It has shifted from using hard-coded C2 addresses to fetching them from dead drop locations and, later, to using a domain generation algorithm (DGA).

Vulnerabilities & patches

• Google has patched an actively exploited kernel vulnerability (CVE-2024-53104) leading to an out-of-bounds write (CWE-787) in the security patch level 2025-02-05.

• Apple has patched an actively exploited vulnerability (CVE-2025-24200) in the iOS 18.3.1 release. The flaw allows a physical attack to bypass USB Restricted Mode on a locked device and was used in a highly sophisticated attack targeting specific individuals.

Intelligence reports

• Anubis, AhMyth, and Necro were the top three mobile malware threats in January, according to Check Point’s Most Wanted Malware Report.

• The Zimperium Evolution of Mobile-Specific Phishing Attacks report states that 37% of global smishing attacks occurred in India, followed by the United States with 16% and Brazil with 9%.

• The CrowdStrike 2025 Global Threat Report reveals that voice phishing (vishing) attacks, where adversaries call victims to amplify their activities using persuasive social engineering techniques, surged by 442% between the first and second half of 2024.

• The Recorded Future 2024 Malicious Infrastructure Report shows that the top ten mobile malware command-and-control (C2) servers in 2024 are associated with Hook, SpyNote, Octo, Joker, ERMAC, MoqHao, Hydra, LightSpy, AlienBot Banker, and TgToxic.