With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.

Threat info

  • Enchant, a new Android malware, targets Chinese-speaking people with a special focus on cryptocurrency wallet apps. It abuses the Accessibility service to steal private keys, wallet addresses, mnemonic phrases, asset details, and wallet passwords. It is distributed through fake adult websites.
  • FjordPhantom, a new Android banking trojan, targets mobile banking customers in Southeast Asia. It runs the original banking app in a virtual container and attaches a hooking framework to bypass security mechanisms in the app. It is worth mentioning that one victim lost a staggering 10 million Thai Baht (€262,000) to this malware.
  • Fraudulent apps impersonating legitimate organizations in the banking, government services, and utilities sectors steal banking credentials and payment information from Android users in India. These fake apps also access SMS messages to obtain one-time passwords (OTPs) and bypass multi-factor authentication (MFA).
  • The incremental malicious update attack (IMUTA) demonstrates a proof-of-concept to bypass the Play Store vetting process by incrementally updating a benign app with malicious features.
  • Kamran spyware is a recently-discovered Android spyware targeting Urdu-speaking people in the disputed Gilgit-Baltistan region, north of Kashmir.
  • Property accounts are heavily under attack on booking.com. Users should be careful of in-app messages coming from legitimate property accounts. In ongoing campaigns, adversaries target property accounts, and in the event of successful account access, they send well-crafted phishing messages to upcoming guests to steal their payment information. Since reading a message coming from a legitimate source in the official app can be very convincing, the likelihood of victims following the instructions in the message and inputting their payment information is high.
  • SecuriDropper is a Dropper-as-a-Service (DaaS) offer that helps mobile malware bypass the Restricted Settings security feature introduced in Android 13. This feature prevents sideloaded apps from gaining Accessibility service permissions. Dropper services provide a session-based installation of the malware that deceives Android’s decision process about the source of an app’s installation (sideloaded versus official app stores). With the increasing adoption of Android 13, the usage of dropper services by threat actors has been rising.
  • SpyC23, an Android spyware developed by Arid Viper APT, abuses Android’s Accessibility service and is distributed through trojanized Telegram and Skipped Messenger apps in the most recent campaign.
  • The malware campaign discovered in the summer of 2023 still actively attacks Iranian mobile bank users. The threat actor has added new banks to the target list and developed overlay attack capability since then.
  • WhatsApp mods spying on people mostly in Azerbaijan and more than a hundred other countries have been discovered. Threat actors spread these malicious WhatsApp mods via Telegram channels and websites. They not only steal victims’ personal data, files, and device information, but also record private conversations stealthily.

Vulnerabilities & patches

Intelligence reports