With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.

Threat info

  • Arid Viper advanced persistent threat (APT) group has been running an espionage campaign targeting Arabic-speaking Android users since April 2022. It distributes a malicious dating app that shares the same Firebase project and databases as the legitimate Skipped dating app. The reason behind this is not clear yet. Spyware exfiltrates sensitive user data, disables security notifications, and installs additional malware.
  • Bluetooth spam attacks using the Flipper Zero hacking device are ported to Android. Last month, it was demonstrated for iOS devices. An Android app creating fake Bluetooth device advertisements has also been released to perform similar attacks. It eliminates the need for a Flipper Zero.
  • Caracal Kitten threat group distributes MOrder remote access trojan (RAT) disguised as the Kurdistan Democratic Party’s official mobile app. It is also found that the threat actor has more advanced AhMyth RAT, but there is no evidence that it has been used so far.
  • Golddigger, an Android banking trojan currently targeting people in Vietnam, abuses Android’s accessibility service to steal banking credentials and execute fraudulent transactions on the victims’ devices. It targets 51 Vietnamese banking, e-wallet, and cryptocurrency wallet apps.
  • iLeakage is a speculative execution side-channel attack that can extract information from Safari browsers on Apple Macs, iPads, and iPhones. This new research demonstrates that the infamous Spectre attack is relevant to Apple’s Arm-based A- and M-series CPUs with real-world examples.
  • Lightspy, a sophisticated iOS spyware discovered in 2020, is linked to DragonEgg Android spyware that was discovered and attributed to the Chinese espionage group APT41 a couple of months ago. Research shows that APT41 has developed mobile surveillance tools since 2018, and its command-and-control (C2) infrastructure is still expanding.
  • Nexus Android banking trojan’s command-and-control (C2) server is compromised, and various webinjects used in overlay attacks are found.
  • OAuth (Open Authorization), an open standard for access delegation, is often not implemented correctly in websites and mobile apps by developers, which enables attackers to log in to a victim’s account using a stolen access token from the victim’s other accounts in different services.
  • Operation Triangulation, a sophisticated attack campaign installing spyware on iOS devices using a zero-click iMessage exploit, shows how much complexity the threat actor implemented to keep the attack stealthy and evade detection. It was challenging for the researchers to investigate such a sophisticated attack in depth.
  • RedAlert app (by Elad Nava) is a popular open-source app in Israel that warns users of missile attacks. Adversaries created a fake website impersonating the original to distribute a malicious version of the Android app that exfiltrates sensitive user data. The iOS version of the app on the fake website points to the legitimate version in the Apple App Store, so only Android users are targeted.
  • RedAlert app (by Kobi Snir) is another rocket alert app in Israel. The AnonGhost hacktivist group exploited an API vulnerability and sent out fake warnings to create panic among people.
  • SpyNote Android malware campaign targeting Italy has been uncovered. The SpyNote infected app is distributed via a fake IT-alert website that warns of an upcoming volcano eruption followed by an earthquake and recommends installing the app to stay informed. IT-alert is the Italian government’s legitimate service to inform the public about imminent or ongoing disasters.
  • WeChat and Kaspersky suite of applications are banned on government-issued mobile devices in Canada.

Vulnerabilities & patches

Intelligence reports

  • According to the Federal Trade Commission’s report, investment fraud constituted more than 50% of the fraud losses on social media in the first six months of 2023. Fraudsters often use bogus investment websites and apps to lure people.
  • The HUMAN’s report on the now-disrupted PEACHPIT botnet shows a massive ad fraud operation through 20 Android, 16 iOS, and 3 CTV-centric apps. At its peak, 121,000 infected Android devices and 159,000 infected iOS devices created more than 10 billion fraudulent ad requests per day. 
  • The Security Lab at Amnesty International published a comprehensive report on the Intellexa alliance’s surveillance products, the infamous Predator spyware, and many others.  
  • Doctor Web’s September 2023 report reveals that four adware apps masquerading as mobile games were downloaded more than 2 million times on the Google Play Store. The report’s key findings are a decrease in Android malware activity compared to the previous month and the detection of malicious apps in Google Play.
  • Anubis, AhMyth, and SpinOk were the top three mobile malwares in September 2023, according to Check Point’s Most Wanted Malware Report.
  • The National Kenya Computer Incident Response Team – Coordination Centre’s 31st Cybersecurity report shows an increase in mobile application attacks targeted at end-user devices in the third quarter of 2023 compared to the second quarter, while total mobile app attacks decreased in the same period.