Android Security & Malware

A Year in Review of Zero-Days Exploited In-the-Wild in 2023 -In 2023, there were 97 zero-day vulnerabilities exploited, a significant rise of over 50% compared to 2022 (62 vulnerabilities) -Espionage was the primary motive behind 48 out of 58 zero-day vulnerabilities analyzed -Most of the zero-day vulnerabilities found last year were in phones, operating systems, and web browsers https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Year_in_Review_of_ZeroDays.pdf

Malicious proxy malware was found in 28 apps available on Google Play Store. These trojanized apps were overall installed over 3,240,000 times https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-proxylib-and-lumiapps-transform-mobile-devices-into-proxy-nodes

Address Sanitizer for Bare-metal Firmware This led to early discovery of memory corruption issues that were easily remediated due to the actionable reports produced by KASan. These builds can be used with fuzzers to detect edge case bugs https://security.googleblog.com/2024/03/address-sanitizer-for-bare-metal.html

Detecting Banker Malware Installed on Android Devices https://itnext.io/detecting-banker-malware-installed-on-android-devices-4c96287138e2

BlueDucky automates exploitation of Bluetooth pairing vulnerability that leads to 0-click code execution ▪️automatically scans for devices ▪️store MAC addresses of devices that are no longer visible but have enabled Bluetooth ▪️uses Rubber Ducky payloads https://www.mobile-hacker.com/2024/03/26/blueducky-automates-exploitation-of-bluetooth-pairing-vulnerability-that-leads-to-0-click-code-execution/

SSRF in Mobile Security Framework (MobSF) version 3.9.5 Beta and prior (CVE-2024-29190) MobSF does not perform any input validation when extracting the hostnames in android:host, so requests can also be sent to local hostnames. This can lead to server-side request forgery (SSRF). An attacker can cause the server to make a connection to internal-only services within the organization's infrastructure https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wfgj-wrgh-h3r3

Bluetooth vulnerability allows unauthorized user to record & play audio on Bluetooth speaker via #BlueSpy Prevention section explains how you can check if your Bluetooth LE speakers/headsets are vulnerable to this attack using nRF Connect app https://www.mobile-hacker.com/2024/03/22/bluetooth-vulnerability-allows-unauthorized-user-to-record-and-play-audio-on-bluetooth-speakers/

Oversecured published vulnerability scan reports for 225 Google-owned apps https://blog.oversecured.com/Oversecured-Apps-Care-Part-1-Vulnerability-disclosure-of-225-Google-apps/

Android crimeware reports on Tambir, Dwphon and Gigabud malware families https://securelist.com/crimeware-report-android-malware/112121/

[Questionnaire] We are writing here to get some insights from dedicated malware analysis experts. We are a group of experienced researchers, and we developed a state-of-the-art sandbox for Android malware. We are absolutely convinced that it makes sense to bring this technology to the market, but we need to picture your biggest sandbox needs in your daily work. The idea is to grasp what are, in your eyes, the must-haves of a sandbox. Our goal is to shape the product accordingly and make it available in the forthcoming months/next few months. To this end, we prepared a quick (approximately 15-minutes) questionnaire, and it would really mean a lot to us if you could share your valuable feedback. Thanks to this, we hope to offer you soon a gain of efficiency, time and energy in your job. Questionnaire: https://forms.gle/qJ9ck8UH5WQK6jAZ8

The complexity of reversing Flutter applications https://www.fortiguard.com/events/5403/nullcon-berlin-2024-the-complexity-of-reversing-flutter-applications [slides] https://filestore.fortinet.com/fortiguard/research/nullcon.pdf

Analysis of suspicious SMS that leads to install Android malware https://labs.k7computing.com/index.php/suspicious-text-messages-alert/

A vulnerability (CVE-2023-6241) in the Arm Mali GPU to gain arbitrary kernel code execution from an untrusted app on a Pixel 8 with MTE enabled https://github.blog/2024-03-18-gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/

Android Phishing Scam Using Malware-as-a-Service on the Rise in India https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-phishing-scam-using-malware-as-a-service-on-the-rise-in-india/

LTair: The LTE Air Interface Tool https://research.nccgroup.com/2024/03/14/ltair-the-lte-air-interface-tool/

Write-up and PoC kernel exploit affecting Pixel 7/8 Pro running Android 14 targeting Mali GPU https://github.com/0x36/Pixel_GPU_Exploit

The State of Stalkerware in 2023 https://securelist.com/state-of-stalkerware-2023/112135/ Full report: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/03/07160820/The-State-of-Stalkerware-in-2023.pdf

Attack spectrum present in Android environments https://blog.devsecopsguides.com/attacking-android

Analyze Android apps for security risks in Termux using APKDeepLens -analyze downloaded or installed apps on device -scan APKs on the go -edit the script for custom needs -works on any non-rooted Android https://www.mobile-hacker.com/2024/03/11/analyze-installed-android-applications-for-security-risks-in-termux/

Analysis of an Android Malware-as-a-Service Operation (Coper aka Octo banking Trojan) https://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs