With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.

Threat info

  • BadBazaar Android spyware, attributed to the China-backed APT group GREF, was discovered in trojanized Signal and Telegram apps. Trojanized Signal app enables attackers to spy on messages by secretly linking the attacker’s device to the victim’s account, which is a new technique not seen before. Although Google Play Store took two apps down after the responsible disclosure, they are still available in Samsung Galaxy Store, other app stores, and dedicated websites.
  • Beta-testing apps are used by cybercriminals to exfiltrate personally identifiable information (PII), access financial accounts, or takeover the victim’s device. Beta apps are especially appealing for criminals because they are usually not subject to the vetting processes of the official app stores. It is worth mentioning that beta apps go through the same process as production apps in the Google Play Store.  
  • CypherRAT and CraxsRAT creator EVLF-DEV is pinned to a man in Syria. After the threat actor’s real identity was uncovered, EVLF-DEV announced that he had decided not to continue malware development. However, other threat actors have already released cracked versions of these Android malwares for free, which has led to a rise in cyberattacks spreading CypherRAT and CraxsRAT.
  • Face recognition is commonly used in mobile apps to verify identity, for instance, for opening a new bank account or playing a mobile game with minimum age requirements. Researchers examined eighteen mobile face recognition software development kits (SDKs) and found out that eleven of them have serious security flaws that result in identity spoofing by just using static images of a victim.
  • Fake mobile banking apps were used to steal credentials of Iranian bank customers.
  • Invisible adware in 43 Android apps, downloaded 2.5 million times collectively, defrauds advertisers by playing ads when the device’s screen is off. They are mostly media streaming and news apps targeting Korean users.
  • MMRat is a new Android banking trojan targeting people in Southeast Asia since late June 2023. It abuses Android’s accessibility service and MediaProjection API to perform bank fraud.
  • SpyNote (also known as CypherRAT) is a well-known Android spyware with remote access trojan (RAT) capabilities. During the summer of 2023, SpyNote detections surged in Europe due to the campaigns targeting the customers of several major banks. These campaigns rely mainly on phishing for initial access and abusing Android’s accessibility service to obtain banking credentials and two-factor authentication (2FA) codes.

Vulnerabilities & patches

  • Researchers discovered that lately many malicious Android apps, carrying mobile banking trojans like Anatsa, Hydra, Cerberus, and Alien, abuse Android BinaryXML format to pass the Google Play Store’s malware detections. It stems from an inconsistency between scanning tools and Android OS. Scanning tools see the intentionally-malformed malicious files as invalid and ignore them, whereas the operating system treats the app as valid as a whole and still loads it. Google announced that its malware detection mechanisms have been updated to stop this abuse.
  • Tencent’s Sogou Input Method, an app with over 450 million monthly active users, has vulnerabilities in its custom-designed cryptographic protocol to protect the transmission of user’s keystrokes. These vulnerabilities allow network eavesdroppers to decipher sensitive data in transit. They are patched in Windows app version 13.7, Android app version 11.26, and iOS app version 11.25.

Intelligence reports

  • The seventh Google Cloud Threat Horizons Report explains how malicious mobile apps evade Cloud Enterprise Detection through versioning.
  • Anubis, SpinOk, and AhMyth were the top three mobile malwares in July 2023 according to Check Point’s Most Wanted Malware Report.
  • The U.S. Department of Homeland Security (DHS) released the Cyber Safety Review Board’s (CSRB) Report on the attacks associated with the threat actor group Lapsus$. Lapsus$ managed to breach famous tech companies such as Microsoft, Cisco, Okta, Nvidia, T-Mobile, Samsung, Uber, Vodafone, Ubisoft, and Globant by taking over employee accounts using fraudulent SIM swaps. It shows that Short Message Service (SMS) and voice-based multi-factor authentication (MFA) mechanisms are easier for criminals to defeat compared to mobile app-based MFA solutions.
  • The Blackberry Global Threat Intelligence Report forecasts that mobile banking malware will increase with the growing usage of mobile banking apps over the next decade.
  • The Recorded Future Cyber Threat Analysis Report indicates that threat actors leverage legitimate internet services (LIS) such as Google Drive and Telegram in their command-and-control (C2) server infrastructure. Mobile malwares are more likely to abuse LIS for dead-drop resolving (DDR) technique than any other malware type. It is a technique where malware obtains the actual domain or IP address of the C2 server from a web service.
  • Kaspersky reports that 59,167 mobile banking trojans were detected in Q2 2023, which grew by 2.7% compared to the previous quarter.
  • The UK’s National Cyber Security Centre (NCSC) and six partner agencies published the Infamous Chisel Malware Analysis Report. This new Android malware is linked to the Russian Sandworm APT and targets mobile devices used by the Ukrainian military. It exfiltrates system device information and information from commercial and Ukrainian military specific apps.