With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.

Threat info

  • Copybara, an Android banking trojan, targets mobile banking users in Italy and Spain. VMX Labs discovered that the malware attacks 781 mobile apps—primarily banking apps—and is capable of performing overlay attacks on at least 425 of them.

  • Crocodilus, a newly discovered and sophisticated Android banking trojan, targets financial institutions in Spain and Turkey, as well as several cryptocurrency wallets. Since its emergence in the mobile threat landscape, it has utilized advanced techniques such as remote control, black screen overlays, and accessibility logging. Additionally, it incorporates core banking trojan functionalities, including overlay attacks and keylogging, to facilitate full device takeover.

  • DocSwap, an Android spyware, targets users in South Korea by masquerading as a document-viewing authentication app. It has been attributed to the North Korean APT group Kimsuky.

  • KoSpy, a new Android spyware attributed to the state-sponsored cyber espionage group ScarCruft (also known as APT37), primarily targets users in South Korea. It is distributed via the Google Play Store and third-party app stores like APKPure, disguised as utility apps such as File Manager, Software Update Utility, and Kakao Security, to infect its targets. KoSpy can steal extensive personal information and record keystrokes by abusing Android’s accessibility service.

  • Lucid, a highly sophisticated Phishing-as-a-Service (PhAAS) platform operated by Chinese-speaking threat actors, targets 169 organizations across 88 countries. With 129 active instances and over 1,000 registered domains, it stands among the most prominent PhAAS platforms, alongside Darcula and Lighthouse. Its scalable, subscription-based model empowers cybercriminals to launch widespread phishing campaigns aimed at harvesting credit card information for financial fraud. The platform features an automated attack delivery system that deploys customizable phishing websites, primarily distributed via SMS-based lures. To maximize effectiveness, Lucid leverages Apple iMessage and Android’s RCS technology, bypassing traditional SMS spam filters and significantly improving delivery and success rates.

  • NFC relay fraud is on the rise in the United States. Law enforcement agencies in at least two U.S. states have separately arrested Chinese nationals accused of carrying out a new form of tap-to-pay fraud using mobile devices.

  • The OctoV2 Android banking trojan is distributed via phishing websites that impersonate the popular DeepSeek AI platform.

  • Parking fee scams are on the rise in the United States. Scammers are now using Google redirect URLs (e.g., google.com/url?q={phishing URL}) to bypass phishing protections in Apple’s Messages app. This tactic makes malicious links appear trustworthy, tricking users into visiting fake parking fine websites designed to steal personal and financial information.

  • PJobRAT, an Android remote access trojan (RAT) first identified in 2019, was reported in 2021 to have targeted Indian military personnel by impersonating popular dating and messaging apps. Since then, the malware has largely remained undetected—until a recent campaign surfaced, targeting users in Taiwan. PJobRAT is capable of exfiltrating SMS messages, contact lists, device and app data, documents, and media files from infected devices.

  • Scam crypto investment platforms use pyramid schemes to defraud victims via websites and mobile applications. The campaign primarily targets users in East African and Asian regions by impersonating well-known brands, cryptocurrency platforms, and popular organizations.

  • Transparent Tribe, a Pakistan-based advanced persistent threat (APT) group, distributes spyware via a fake India Post website. The spyware encourages victims to install a casino app that initially functions normally but soon prompts them to enter their payment details to continue.

  • TsarBot is a recently discovered Android banking trojan that targets over 750 apps worldwide, including those in banking, finance, cryptocurrency, and e-commerce. It spreads through phishing websites that impersonate legitimate financial platforms and is installed via a dropper disguised as Google Play Services. Once active, TsarBot uses overlay attacks to steal sensitive information such as banking credentials, credit card details, and login data. It can also record and remotely control the device screen, simulating user actions like swiping, tapping, and entering credentials while concealing its activity with a black overlay. Communication with its command-and-control (C2) server is handled via WebSocket across multiple ports, allowing it to receive commands, exfiltrate stolen data, and perform on-device fraud.

  • Vapor, a large-scale Android malware campaign involving hundreds of malicious apps distributed through the Google Play Store and third-party platforms, mainly targets ad fraud and credential theft. At least 331 malicious Android apps have been identified, collectively reaching over 60 million downloads. These apps are designed to evade detection by hiding their icons from the launcher, a technique believed to be restricted in newer Android versions. While many keep basic functionality to appear legitimate, they can display out-of-context ads over other applications in the foreground—bypassing typical permission requirements. Some variants go further by attempting to phish for user credentials, including login details and credit card data. Notably, these apps can auto-launch without user interaction, exploiting a vulnerability that should be technically blocked in Android 13 and later versions.

  • .NET MAUI, Microsoft’s cross-platform app development framework in C# for Android, iOS, Windows, and macOS (successor to Xamarin), is abused by cybercriminals for malware development. It acts like a special type of packer, enabling malware to evade detection.

Vulnerabilities & patches

  • An address confusion vulnerability in the Find My network allows a remote attacker to transform any Bluetooth-capable device into an AirTag-like tracker. This exploit, known as nRootTag, enables real-time location tracking by leveraging over 1.5 billion iPhones globally as unwitting relays for the attacker. Apple addressed the issue in the iOS 18.2 release.

  • Google patched two actively exploited vulnerabilities: a Framework component flaw (CVE-2024-43093) and a Kernel vulnerability (CVE-2024-50302), both of which lead to privilege escalation. These fixes were included in the Android security patch levels 2025-03-01 and 2025-03-05.

  • Apple has patched an actively exploited vulnerability (CVE-2025-24201) in the iOS 18.3.2 release. The flaw allows maliciously crafted web content to escape the Web Content sandbox and was used in a highly sophisticated attack targeting specific individuals.

  • WhatsApp patched a zero-click, zero-day vulnerability that was exploited to install Graphite, a mercenary spyware developed by Paragon Solutions. The flaw allowed attackers to compromise devices without any user interaction and was used in targeted surveillance operations against journalists and civil society members.

Intelligence reports

  • Anubis, Necro, and AhMyth were the top three mobile malware threats in February, according to Check Point’s Malware Spotlight Report.

  • Kaspersky reported intercepting approximately 33.3 million attacks in 2024 involving malware, adware, and other forms of unwanted mobile software. Adware was the most prevalent, accounting for 35% of all detections. The company identified 1.1 million malicious and potentially unwanted installation packages, with nearly 69,000 classified as banking trojans.

  • Group-IB’s report details how SIM swapping fraud is evolving in the Middle East, with cybercriminals increasingly using phishing websites, social engineering, and hybrid tactics to bypass telecom security measures.

  • The Citizen Lab released a comprehensive report on Paragon Solutions’ mercenary spyware operations, with a particular focus on its flagship tool, Graphite. Based on infrastructure analysis, the report identifies Australia, Canada, Cyprus, Denmark, Israel, and Singapore as suspected government clients of the spyware.

  • Zimperium’s report states that 1 in 400 Android devices (0.25%) are rooted, and 1 in 2,500 iOS devices (0.04%) are jailbroken.

  • The Kaspersky Financial Cyberthreats in 2024 Report reveals that nearly 248,000 users encountered mobile banking malware in 2024 —an alarming increase of almost 3.6 times compared to 2023. The most active Android malware family was Mamont, accounting for 36.7% of all mobile banking malware attacks. Among the affected regions, users in Turkey were the most heavily targeted.

  • In the first quarter of 2025, Doctor Web reported a continued rise in mobile malware activity, with Android threats remaining the primary focus. The report highlights increased activity from adware and banking trojans, along with the discovery of several dozen new threats on the Google Play Store.