With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.

Threat info

  • DNS-based data infiltration is used to activate the malicious functionality inside an app. 11 such apps were discovered on the Play Store. The adversary’s DNS server sends the required configuration for activation based on the victim’s mobile carrier.
  • Fake mobile shopping apps are used to steal personal data and payment information. They attract online shoppers with exclusive deals and are usually disguised as official retail apps.
  • Ghost Tap, a new money cash-out technique from stolen credit card details, likely goes undetected by traditional fraud prevention systems. In this technique, cybercriminals circumvent fraud detection systems by making payments at POS machines in physical stores rather than online stores. To protect their identity, they use money mules. Mules go to the shops and bridge NFC traffic between cybercriminals’ wallet apps and POS machines using special software on their phones.
  • Godfather Android banking trojan has expanded its reach to Japan, Singapore, Greece, and Azerbaijan. It abuses Android’s accessibility service and targets 500 banking and cryptocurrency apps.
  • Grand Theft Auto (GTA) VI will be released in 2025. Fraudsters have already started creating fake releases to distribute mobile malware.
  • G700 RAT, an advanced variant of the CraxsRAT, is discovered. It targets Android devices and cryptocurrency applications.
  • Locate X, a technology harvesting location data from ordinary mobile apps, was used for surveillance by the United States Secret Service in the past but is no longer used.
  • Octo2 Android banking trojan is distributed via physical letters in Switzerland. The letter asks the recipients to install a new severe weather app from the Federal Office of Meteorology and Climatology, MeteoSwiss, via a QR code. However, this is the Octo2 banking trojan that attempts to steal login credentials from 383 targeted mobile apps.
  • PixPirate Android banking trojan targets Brazil’s instant payments system PIX by abusing Android’s accessibility service. It is now detected in India and, to a lesser extent, in Mexico and Italy. PixPirate could be after India’s Unified Payments Interface (UPI) instant payments system. It is not yet clear.
  • Scams are on the rise in India. In one significant case, scammers made the victim buy a smartphone and kept her under video surveillance with the smartphone’s camera for 6 days. $300,000 was stolen from the victim.
  • SMS blaster attack sent almost a million smishing messages in 3 days to nearby phones in Thailand. It relies on a mobilized cellular base station to bypass the SMS firewalls of mobile phone networks.
  • Social media access for children under 16 is banned in Australia.
  • SpyLoan (predatory loan apps) activity surged in the mobile threat landscape. The number of malicious SpyLoan apps and unique infected devices increased by over 75% in a quarter. 15 apps with over 8 million installations cumulatively were found on the Play Store.
  • Spyware is being used more in Italy than in the rest of Europe. Italian commercial spyware vendors focus on cheaper products, which makes the spyware more accessible. One of those products is Hermit, which was seen in Italy, Syria, and Kazakhstan.
  • TikTok was ordered to dissolve its business operations in Canada due to national security concerns; however, the government does not prevent Canadians from accessing the app.
  • ToxicPanda Android banking trojan targets mobile banking users in Italy, Portugal, Spain, and Latin America. Italy is the main target country, with more than 50% of the infected devices. ToxicPanda abuses Android’s accessibility service to perform on-device fraud like many others. Its source code shows early-stage software project characteristics, indicating that malware is still under development. The most significant aspect of this campaign is a Chinese-speaking threat actor carrying out a mobile banking malware campaign in Europe.
  • Triad Nexus, a malicious domain cluster in the Chinese FUNNULL Content Delivery Network (CDN), uses fake trading and adult-themed apps in financial fraud campaigns globally.
  • A winter fuel payment scam campaign is spreading in the UK via SMS messages. It aims to deceive low-income citizens into revealing their personal information and payment details through phishing websites impersonating the UK government’s official site.
  • WhatsApp vulnerabilities were repeatedly exploited by the NSO Group to deliver its infamous Pegasus commercial spyware. According to the recently unsealed court documents, “NSO Group admitted developing those exploits by extracting and decompiling WhatsApp’s code, reverse-engineering WhatsApp, and designing and using their own ‘WhatsApp Installation Server’ (or ‘WIS’) to send malformed messages through WhatsApp servers.”
  • Xiū Gǒu Phishing Kit is used exclusively to target mobile users by distributing the links to phishing websites in Rich Communication Services (RCS) messages.
  • Zello, a push-to-talk walkie-talkie app used by 140 million people worldwide, advises users to reset their passwords if their accounts were created before November 2nd, 2024. They likely suffered a data breach or a credential-stuffing attack.

Vulnerabilities & patches

  • Google patched an actively exploited vulnerability (CVE-2024-43093) leading to remote code execution in the security patch level 2024-11-01. The Qualcomm component vulnerability CVE-2024-43047 is also listed as a known exploited vulnerability in this month’s Android Security Bulletin.
  • Apple patched 2 actively exploited vulnerabilities (CVE-2024-44308 and CVE-2024-44309) in the iOS 18.1.1 release. The exploits were observed only on Intel-based Mac systems, a strong indicator of potential exploits in the wild for iPhones.
  • FlipaClip, a popular animation app, patched a vulnerability that exposed personal data of almost 900k user accounts, including names, dates of birth, e-mail addresses, and countries of residence.

Intelligence reports

  • Which?’s research shows how Internet of Things (IoT) device manufacturers collect excessive data, often with little transparency and security. The Information Commissioner’s Office (ICO), the UK’s data regulator, plans to publish new guidance on consumer IoT devices in spring 2025.
  • Kaspersky’s Crimeware and Financial Cyberthreats in 2025 Report predicts a rapid increase in financial cyberattacks targeting smartphones in 2025. Their other report, Advanced Threat Predictions for 2025, predicts growing APT attacks in IoT devices, particularly due to the increased adoption and poorly-secured complex attack surface (backend, device firmware, manufacturing process, and mobile app).
  • Google launched an online scam advisory. The 5 recent scam trends are realistic public figure impersonation campaigns, crypto investment schemes, app and landing page cloning, landing page cloaking, and exploitation of major events.
  • Joker, Necro, and Anubis were the top 3 mobile malwares in October, according to Check Point’s Most Wanted Malware Report.
  • Orange Cyberdefense CERT’s report states that zero-day exploitation risk in China’s state-sponsored hacking campaigns is high because Chinese security researchers must first get approval from the Ministry of Industry and Information Technology (MIIM) since 2021 to disclose their vulnerability findings. Under this framework, MIIM maintains a Mobile Applications Vulnerability Database.
  • Kaspersky’s IT threat evolution in the Q3 2024 Mobile Statistics Report shows that unique Android banking trojan (ABT) installation packages increased by 37% compared to Q2 2024. The total number of mobile attacks decreased by 13%.