With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.
- Bluetooth advertising assault is a denial-of-service attack that uses only a Flipper Zero hacking device to push fake Bluetooth device alert pop-ups to iPhones continuously. It can be used in a highly targeted attack scenario to stall someone from using his/her iPhone until he/she figures out to completely turn off the Bluetooth.
- EvilBamboo is a China-based advanced persistent threat (APT) that typically uses three Android spywares in its operations: BADBAZAAR, BADSIGNAL, and BADSOLAR. There is strong evidence showing that the threat actor can also distribute malicious iOS apps to its targets via the Apple App Store.
- Evil Telegram mods are increasingly used by cybercriminals to distribute malware. In the latest incident, researchers found spyware in a telegram mod, distributed via Google Play Store, which steals victims’ messages, attachments in those messages, and contacts.
- Smishing Triad is a Chinese-speaking threat actor specializing in smishing. In the latest campaign, they use iMessage exclusively to steal personally identifiable information (PII) and payment credentials from iPhone users in the United States. This is likely because of the higher trust people have in the iMessage service compared to e-mail or SMS text messages.
- Transparent Tribe is a Pakistan-based advanced persistent threat (APT) that uses CapraRAT spyware to target political and military figures in the region. The recent discovery of two trojanized apps masquerading as YouTube apps and one as a YouTube channel persona app indicates that the threat actor started to lure their targets with YouTube themes.
- WiKI-Eve attack is a novel side-channel attack to eavesdrop keystrokes on a smartphone screen, for instance, to steal a code while the victim is entering it on a mobile payment app. It relies on a modern Wi-Fi feature, cleartext transmission of beamforming feedback information (BFI), between the smartphone and access point to optimize the signal transmission efficiency. In the WiKI-Eve attack, BFI is monitored by another Wi-Fi device, and it extracts the smartphone’s antenna position from cleartext BFI which is eventually processed and translated to numerical values.
- Xenomorph Android banking malware expands to the United States. It is observed that over 30 American bank apps and several cryptocurrency wallet apps have been added to the target list in the latest campaign. Its main attack capabilities are overlays and an advanced automated transfer system (ATS) enabled by accessibility service abuse.
- Zanubis Android banking malware targets over 40 banks and financial services apps in Peru. It abuses Android’s accessibility service to start keylogging or screen recording to steal user credentials.
Vulnerabilities & patches
- Android September security updates (2023-09-01 and 2023-09-05) patched 32 vulnerabilities, including a zero-day (CVE-2023-35674) actively exploited in the wild. Security patch level of 2023-09-05 or later addresses all these issues.
- BLASTPASS, a zero-click exploit chain to deploy NSO Group’s infamous Pegasus spyware to up-to-date iPhones (iOS 16.6), was revealed by Citizen Lab researchers. Apple patched actively exploited CVE-2023-41064 and CVE-2023-41061 in the iOS 16.6.1 version. Although support for the iOS 15 ended a year ago, Apple released the iOS 15.7.9 version to protect against this threat.
- A critical flaw (CVE-2023-4863) was discovered in the WebP library, which is believed to be actively exploited in the wild. It was patched in an emergency release (version 1.3.2). Google attempted to increase the severity score of this vulnerability from 8.8 to a maximum of 10.0 later on. Mobile applications built with libwebp library (e.g., Flutter framework) should consider a security update.
- Google’s Threat Analysis Group (TAG) and the Citizen Lab discovered a zero-day exploit chain targeting iPhones to deploy infamous Predator spyware. All the issues (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) were addressed by Apple in the iOS 17.0.1 and iOS 16.7 releases.
- Anubis, AhMyth, and SpinOk were the top three mobile malwares in August 2023 according to the Check Point’s Most Wanted Malware Report.
- According to the Netacea’s report, bot attacks on mobile apps surpassed the attacks on websites for the first time in 2022. As of 2023, mobile apps have become the predominant target over websites.
- The DEKRA’s SMS Doesn’t Stand for Secure Messaging Service whitepaper explains all documented security issues with SMS (Short Messaging Service) technology in detail. Amongst the different threats, SMS interception for stealing two-factor authentication codes of bank transactions and SMS spoofing for making phishing seem real are the most significant threats to mobile users.