With a special focus on mobile apps and connected, unmanaged devices, this Cybersecurity Threat Roundup is compiled by Verimatrix Cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.
Threat info
- Anatsa (also known as TeaBot) is a sophisticated Android banking trojan with advanced account and device takeover capabilities. It offers approximately 600 different overlays to steal credentials from the users of financial apps. Institutions in the US, UK, and DACH regions are targeted in the latest ongoing campaign. 30,000 infections were reported.
- CherryBlos is a new Android malware that specializes in attacking cryptocurrency wallet apps. It performs an overlay attack to steal credentials and uses optical character recognition (OCR) techniques to extract mnemonic phrases from the pictures in the external storage. It can change the recipient’s wallet address to an attacker-controlled one and hide the manipulation with another overlay during transactions.
- DoNot APT (also known as APT-C-35 and SectorE02) shifted its focus to malicious Android apps for information collection and espionage operations. This threat actor currently targets South Asian nations.
- Fluhorse Android malware is found in a packed form for the first time. This shows that threat actors improved their AV evasion techniques from basic string obfuscation to complete encryption of the malware source code.
- GravityRAT Android spyware in a trojanized open-source Instant Messenger app has been discovered. The latest version of the malware has two new features: It can delete files from smartphones and steal WhatsApp messages from backups.
- HelloTeacher Android malware specifically targets three Vietnamese banks’ mobile apps. The threat actor behind this malware clearly examines the apps and develops tailored attacks.
- Kimsuky APT, backed by North Korea, uses fake or spoofed versions of websites, portals, or mobile applications to steal login credentials.
- Letscall, a complex vishing toolkit with spyware and RAT functionalities, targets Android users in South Korea to steal money from victims’ bank accounts.
- Neo_Net is the threat actor behind a global cybercrime campaign against mobile banking users, especially in Spain and Chile. Using only basic tools and simple techniques, the threat actor was able to steal more than 350,000 Euros and collect thousands of victims’ personally identifiable information (PII), such as names, identification numbers, and telephone numbers. The underlying reason for the high success despite the simplicity of this operation likely stems from studying the targets closely and fine-tuning the attack infrastructure accordingly.
- Operation Triangulation, a sophisticated attack campaign installing spyware on iOS devices using a zero-click iMessage exploit, was revealed by Kaspersky.
- Over 60,000 different mobile apps were discovered to be carrying adware. They are mainly targeting Android users in the United States. It is worth mentioning that none were distributed via Google Play Store.
- Triada Android trojan was detected in a mod Telegram app. Mod apps are a very well-known way to lure users into installing malicious apps from 3rd-party app stores.
- Two malicious file management apps from the same developer, downloaded more than 1.5 million times on Google Play Store, were found to be stealthily exfiltrating user’s private information, including media files, to servers in China.
- WebAPK technology enables installation of progressive web applications on Android devices as native applications. Cybercriminals exploit a weakness in the design, which makes victims install malicious apps on their devices without any untrusted source warnings.
- WyrmSpy and DragonEgg Android spywares were attributed to the Chinese espionage group APT41 through a hardcoded C2 IP address found in early samples of WyrmSpy.
Vulnerabilities & patches
- CISA adds three zero-day vulnerabilities (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two of which were used in Operation Triangulation, to its known exploited vulnerabilities catalog. All three issues were addressed in the iOS 16.5.1 and iOS 15.7.7 versions.
- CISA adds six vulnerabilities (CVE-2021-25487, CVE-2021-25489, CVE-2021-25394, CVE-2021-25395, CVE-2021-25371, and CVE-2021-25372) in Samsung mobile devices to its known exploited vulnerabilities catalog. They were already patched in 2021.
- Android July security updates patch three actively exploited flaws (CVE-2023-26083, CVE-2023-2136, and CVE-2021-29256).
- Apple revised the emergency security update, which patched the WebKit zero-day vulnerability (CVE-2023-37450) exploited in the wild. This is the tenth zero-day vulnerability addressed by Apple since the beginning of the year.
- CISA adds three zero-day vulnerabilities (CVE-2023-38606, CVE-2023-32409, and CVE-2023-37450) to its known exploited vulnerabilities catalog. All three issues were addressed in the iOS 16.6 and iOS 15.7.8 versions.
Intelligence reports
- SpinOk, Anubis, and AhMyth were the top three mobile malwares in June 2023, according to Check Point’s Most Wanted Malware Report.
- Resecurity reported that Android OS device spoofing tools are gaining traction among cybercriminals to bypass mobile fraud prevention controls. Financial institutions and online retailers are the main targets.
- Overall Android threat detections increased by 20% in the first half of 2023 compared to the second half of 2022 in the H1 2023 ESET Threat Report.
- Google Threat Analysis Group (TAG) released the ‘0-days Exploited In-the-Wild in 2022’ report. One of the takeaways is the importance of fast patching of zero-days on Android. In multiple cases, patches were not available to users for a long time, and cybercriminals exploited the unpatched but publicly known vulnerabilities.
SparkKitty: A Silent Threat in ‘Trusted’ Apps