With a special focus on mobile apps and connected, unmanaged devices, this VMX Labs Cybersecurity Threat Roundup is compiled by Verimatrix cybersecurity researchers and data scientists. It includes links to notable threat advisories over the last month, information on vulnerabilities and patches, and links to recent intelligence reports.

Threat info

  • DroidBot Android banking trojan targets users of banking, cryptocurrency, and national organization apps in the United Kingdom, Italy, France, Spain, and Portugal. It abuses Android’s accessibility service and offers standard banking malware features such as SMS monitoring, Virtual Network Computing (VNC), overlay attacks, keylogging, and remote control. DroidBot uses MQTT and HTTPS communication protocols.
  • Earth Minotaur threat group uses the MOONSHINE exploit kit to install the DarkNimbus backdoor on Android devices of Tibetan and Uyghur users. The exploit kit targets the vulnerabilities of messaging apps to deliver the backdoor. There are already known vulnerabilities of Chromium-based browsers embedded in the apps for a custom in-app browsing experience. DarkNimbus steals conversations in messaging apps by misusing Android’s accessibility service.
  • EagleMsgSpy, a lawful intercept surveillance tool used by law enforcement in China, collects extensive information from targeted Android devices, such as text messages, calls, location, device and network details, screen and audio recordings, media files, call logs, contacts, bookmarks, a list of files in the external storage, and installed apps. There are also indicators of an iOS version of the tool.
  • The evolving Android banking trojans Antidot and Remo are discovered in the wild.
  • Gamaredon, a Russian advanced persistent threat group, uses BoneSpy and PlainGnome Android spyware for surveillance operations among Russian speakers in the former Soviet states. BoneSpy and PlainGnome can steal extensive information from their targets.
  • GodLoader delivers malware across multiple platforms by exploiting the Godot Engine, a cross-platform, free, open-source game engine. An Android version is theoretically possible but requires modifications to the Godot Engine. However, an iOS version is unlikely due to Apple’s strict vetting process.
  • Google support scams target cryptocurrency investors to drain their wallets by stealing the recovery phrases. Approximately $450,000 and $4,725,000 were stolen in two incidents. In the former case, an image of the recovery phrase was found in the victim’s Google Photos. In the latter, a phishing website was used to deceive the victim into entering the secret phrase.
  • Hardcoded API keys of a third-party push notification service were extracted from an insurance company and the electronic toll collection system’s mobile apps in Turkey. Users were bombarded with offensive messages followed by false threats to share their data unless a Bitcoin payment was made.
  • The new Mamont Android malware campaign spreads the malware masquerading as a parcel-tracking app. It has a limited feature set that can be used to steal user credentials and SMS messages. The campaign exclusively targets Russia.
  • A new variant of the Monokle spyware was covertly implanted on an Android phone of a suspected Ukraine supporter by the Russian authorities. It was installed on the device as a trojanized version of the Cube Call Recorder application. Spyware monitors the device location, records phone calls and user’s keystrokes, and steals messages from encrypted messaging apps. There are also indicators of an iOS version of the spyware.
  • A new Android banking trojan, disguised as utility services (gas or electricity) or banking apps, targets Indian users to steal financial data (credit card and/or online banking) and one-time passwords (OTP) in SMS messages.
  • A new NGate Android banking trojan campaign targets bank customers in Russia. NGate relays NFC data from a physical payment card to an attacker-controlled phone via a malicious app installed on the victim’s Android phone, which enables the attacker to withdraw money from an ATM.
  • Operation MIDAS investigates a sophisticated fraudulent home trading system in South Korea. Scammers offer the mobile version of the trading system as a fallback option if the victim does not have access to a PC. The mobile version distributes a fraudulent web application developed on the cross-platform Flutter framework, which enables criminals to build the application for different target platforms.
  • A novel QR-code phishing delivery technique evades antivirus solutions with corrupted MS Word attachments. The recovery feature of MS Word will repair the files. Scanning the malicious QR code in a file redirects victims to a fake Microsoft login page on their mobile devices.
  • Salt Typhoon, a Chinese advanced persistent threat actor, compromised telecommunications companies of a few dozen countries in a two-year espionage campaign. It exfiltrated extensive user call records, intercepted targeted individuals’ phone calls, and accessed the systems that allow law enforcement and intelligence agencies with court orders to track people’s communications. The CISA and FBI recommended end-to-end encrypted messaging apps for calls and text messages to minimize the chances of interception.
  • Smishing Triad targets residents of the UAE in a social engineering campaign by impersonating law enforcement. Before contacting victims over the phone, they send fake payment requests from the Dubai Police for traffic tickets, parking violations, and driving license renewals via SMS/iMessage or email.
  • Spyware was found in the Amazon App Store. It operates as a simple body mass index (BMI) calculator app while collecting information (installed apps and SMS messages) from its targets in the background.
  • Task/job scams rely heavily on mobile apps to make fake earnings look real. These scams ask you to do simple repetitive tasks to earn a small income and eventually demand a deposit to get your supposed earnings out of the app. The reported losses to task scams increased more than threefold from 2020 to 2023.
  • The threat actor UAC-0125 distributes a fake Windows version of the Army+ mobile app introduced by the Ukraine Ministry of Defense last summer to make services for the armed forces paperless. It inserts a backdoor on the victim’s PC.
  • The Viber messaging app is banned in Russia.

Vulnerabilities & patches

  • A bypass vulnerability (CVE-2024-44131) in the iOS Transparency, Consent, and Control (TCC) subsystem allows a malicious app to access sensitive user data without notification and permission. It was patched in the iOS 18 release.
  • Meta mitigated the trivial bypass of the WhatsApp View Once feature through WhatsApp Web with the server-side improvements.

Intelligence reports

  • Joker, Anubis, and Necro were the top three mobile malwares in November, according to Check Point’s Most Wanted Malware Report.
  • ESET’s Threat Report H2 2024 indicates that Android financial threats, targeting banking apps and cryptocurrency wallets, grew by 20%. This increase is primarily driven by the Cerberus Android banking trojan (+56%), which mainly performs overlay attacks to steal user credentials.
  • Amnesty International’s report on surveillance and suppression of civil society in Serbia reveals the details of newly discovered NoviSpy Android spyware.
  • The UK’s Information Commissioner’s Office’s (ICO) commissioned study reveals that 29% of UK adults do not know how to erase their personal information from an old device or tech product before abandoning it, which poses considerable privacy and security risks.
  • Dr. Web reports high adware and fake app activity in Q4 2024. Over 60 malicious apps were also detected on Google Play in this quarter.