With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.

Threat info

  • A copycat of the LastPass mobile app was found in the Apple App Store. The fraudulent app is called LassPass Password Manager, and it has already been removed from the official store. Password manager apps store user credentials, and thus they are top targets of cybercriminals.
  • Apple’s AirDrop feature is allegedly decoded by the Beijing Wangshendongjian Judicial Appraisal Institute. The forensic lab built a tool for Chinese authorities that deciphers the AirDrop sender’s phone number and email address from the device logs on the recipient’s iPhone. It uses rainbow tables to reveal the sender’s information.
  • Fake Scameter mobile app is used to scam Hongkongers. Ironically, the original app is designed to help the public identify scams.
  • iPhone Thief reveals his techniques on how to steal phones and get into banking apps.
  • iOS apps can abuse push notifications to forward analytics data and device information. iOS does not allow apps to run in the background, but it allows them to process the push notifications for a short time before presenting them to the users. It was discovered that some data-hungry apps use this time to collect and report data, which can be used for fingerprinting and tracking the users even if they are not using the app at all. 
  • MavenGate is a recently discovered supply chain attack that can infect Java and Android applications through unmaintained and abandoned dependencies. Any library is tied to a domain based on its name in Maven products, including the famous build tool Gradle. Upon the expiration of a project domain, a malicious actor can re-register that domain and take over ownership of the project. Consequently, a malicious version of the library can be distributed as a new release or replace an existing release. 
  • Moqhao, also known as XLoader, is an Android malware deployed by the Roaming Mantis campaign. The latest variant has a new capability. It automatically launches after installation without user interaction. This variant targets Android users mainly in Japan and South Korea, but also in France, Germany, and India. It attacks victims by delivering phishing messages for financial gain.
  • Romance scams increased by 22% last year. £6,937 was stolen on average per victim. Social media and dating apps are usually misused by romance scammers to lure their victims.
  • The unauthenticated keystroke injection attack in Bluetooth can trigger a factory reset and remotely wipe data on a mobile phone. The Bluetooth vulnerability that enables this attack has been fixed for only newer Android and iOS devices.
  • Two US insurance firms informed 66,000 people that their personal information may have been stolen in SIM-swapping attacks. App-based two-factor authentication protects against this attack.
  • VajraSpy, an Android spyware developed by the Patchwork APT, steals contacts, files, call logs, and SMS messages. Some advanced variants can also steal WhatsApp and Signal messages, record calls, and take photos. Patchwork distributes trojanized apps via the Google Play Store and third-party app stores to target users in Pakistan.
  • Wizz app, a social media app for teenagers with approximately 20 million active users, has been removed from the Apple App Store and the Google Play Store due to financial sextortion scams targeting its users.

Vulnerabilities & patches

  • CISA adds CVE-2023-41990 to its known exploited vulnerabilities catalog. This vulnerability has been exploited in the Operation Triangulation campaign since 2019, and it was finally uncovered when Kaspersky researchers were targeted last year. Apple mitigated it by improving cache handling.
  • Firmware vulnerabilities are being exploited by forensic companies to extract information from Android devices that are not at rest. GrapheneOS has already reported these vulnerabilities to the Android Vulnerability Reward Program.
  • LeftoverLocals vulnerability (CVE-2023-4969) enables recovery of another process’s data on graphics processing unit (GPU) memory. Apple, Qualcomm, and AMD GPUs are affected. GPU applications, such as large language models or machine learning applications, are at risk when running on a vulnerable GPU.
  • Apple patched actively exploited zero-day (CVE-2024-23222) in the iOS 17.3 and iOS 16.7.5 releases. This flaw is a type of confusion vulnerability that could lead to arbitrary code execution. It was fixed with improved checks. Apple also backported the fixes for two actively exploited zero-days (CVE-2023-42916 and CVE-2023-42917) to older devices in the iOS 15.8.1 release.
  • CISA adds CVE-2022-48618 to its known exploited vulnerabilities catalog. It is a kernel flaw that leads to a pointer authentication bypass. It may have been exploited against versions of iOS released before iOS 15.7.1.
  • It was found that several manufacturers (OEMs) signed their APEX modules with the test private keys that are publicly available in the Android Open Source Project (AOSP) source repository. It allows anyone to forge an update for these modules. Security patch level 2023-12-05 or later addresses the issue (CVE-2023-45779).

Intelligence reports

  • The report of the Network Contagion Research Institute, in collaboration with Rutgers University Miller Center, suggests that the TikTok app suppresses or amplifies content in the interests of the Chinese government. 
  • Anubis, AhMyth, and Hiddad were the top three mobile malwares in December 2023, according to Check Point’s Most Wanted Malware Report.
  • The Network Contagion Research Institute’s (NCRI) report shows that financial sextortion scams are the most rapidly growing cybercrime targeting minors in the United States, Canada, and Australia. Scammers contact children through fake profiles on social media apps and use advanced tools like generative AI to trick them.
  • The Doctor Web’s December 2023 report indicates that the adware trojans from the Android HiddenAds family were detected the most, while Android banking trojan (1%) and spyware (10%) activities slightly decreased in December. A couple of malicious apps were also found in the Google Play Store.
  • The Access Now report finds that at least 35 individuals in Jordan have been targeted by the infamous Pegasus spyware since 2019.
  • The Google Threat Analysis Group’s (TAG) report discusses commercial surveillance vendors in depth. These vendors are behind half of known zero-day exploits targeting Google products and Android devices.