ALL POSTS

Here's the article in the requested format: Key Findings * Android 17 Beta 2 blocks non-accessibility apps from using Accessibility Services API * Advanced Protection Mode (AAPM) automatically revokes permissions for non-accessibility tools * Only verified accessibility tools can use the API when AAPM is enabled * Targets malware that has historically abused accessibility services for data theft Background Android's Accessibility Services API has long been a double-edged swor

Key Findings BeatBanker is an Android malware that combines banking trojan capabilities with cryptocurrency mining. It spreads through fake Starlink apps distributed on websites imitating the Google Play Store. Once installed, BeatBanker hijacks devices, steals login credentials, and tampers with cryptocurrency transactions. The malware uses a silent audio loop to maintain persistence and avoid being shut down by the system. In newer versions, BeatBanker has replaced the bank

Key Findings Google disclosed that a high-severity vulnerability, CVE-2026-21385 (CVSS score: 7.8), affecting an open-source Qualcomm component used in Android devices has been actively exploited. The vulnerability is a buffer over-read in the Graphics component, described by Qualcomm as "memory corruption when adding user-supplied data without checking available buffer space" and an integer overflow. Google acknowledged "there are indications that CVE-2026-21385 may be under

Key Findings: PromptSpy is the first known Android malware to abuse Google's Gemini AI to maintain persistence on infected devices It can capture lockscreen data, block uninstallation attempts, collect device information, take screenshots, and record screen activity as video The malware leverages Gemini AI to analyze the current screen and provide it with step-by-step instructions on how to remain pinned in the recent apps list, preventing easy removal Background ESET researc

Key Findings Security researchers have uncovered details of a new mobile spyware platform called ZeroDayRAT that is being sold openly on Telegram. ZeroDayRAT provides comprehensive remote control capabilities over compromised Android and iOS devices, including real-time surveillance and data theft. The malware supports Android versions 5 through 16 and iOS up to version 26, allowing it to target a wide range of mobile devices. ZeroDayRAT is distributed through social engineer

Arsink Spyware Posing as WhatsApp, YouTube, Instagram, TikTok Hits 143 Countries Key Findings Arsink is a dangerous Android Trojan that impersonates over 50 popular brands, including WhatsApp, YouTube, Instagram, and TikTok The malware has infected over 45,000 devices across 143 countries, with major clusters in Egypt, Indonesia, and Iraq Arsink grants hackers complete remote control, allowing them to record audio, read text messages, and wipe devices Background A massive new

Key Findings Android game mods bundled with "Android.Phantom" malware hijack devices for covert ad fraud Malware operates in two modes - "phantom" mode for automated ad interaction and remote control mode for real-time device control Uses machine learning techniques to mimic user behavior and avoid detection Spreads through unofficial app stores and third-party sources, not the official Google Play Store Affects popular game titles with high download counts, making it difficu

Key Findings A public proof-of-concept (PoC) exploit has been released for a critical vulnerability in the Android operating system. The vulnerability allows malicious applications to escalate their privileges and gain access to sensitive permissions without the user's knowledge or consent. The vulnerability affects both the main Android OS as well as the WearOS platform, putting a wide range of Android devices at risk. The exploit has been confirmed to work on multiple Andro

Key Findings The Kimwolf Android botnet has infected over 2 million devices, primarily through the exploitation of residential proxy networks. The botnet primarily targets low-cost, unofficial Android TV boxes that are left insecure or intentionally configured as proxy nodes. Kimwolf is believed to be an Android variant of the AISURU botnet, with connections to a series of record-setting DDoS attacks. The botnet uses a scanning infrastructure that leverages residential proxie

Key Findings The Kimwolf Android botnet has infected over 1.8 million devices globally, primarily targeting TV boxes It uses advanced techniques like DNS over TLS, elliptic curve digital signatures, and blockchain domains to evade detection The botnet is capable of massive DDoS attacks, issuing over 1.7 billion commands in a three-day period Kimwolf shares code with the Aisuru botnet family but has been heavily redesigned to avoid detection Background The Kimwolf botnet was f

Key Findings In August 2025, Kaspersky researchers discovered a new Android banking Trojan dubbed "Frogblight" targeting individuals in Turkey. The malware initially disguised itself as an app for accessing court case files via an official government webpage, but later adopted more universal disguises like the Chrome browser. Frogblight can use official government websites as an intermediary step to steal banking credentials and has spyware capabilities to collect SMS message

Key Findings U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two Android Framework vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2025-48572: Android Framework Privilege Escalation Vulnerability CVE-2025-48633: Android Framework Information Disclosure Vulnerability Background The two high-severity vulnerabilities are reported to be "under limited, targeted exploitation" in the wild. Google's latest Android update for December 2025

Key Findings: Google has updated its Android Quick Share file transfer service to work natively with Apple's AirDrop on Pixel 10 devices. The cross-platform compatibility is achieved through Google's own implementation, not official collaboration with Apple. The communication channel is built using the memory-safe Rust programming language to enhance security and prevent vulnerabilities. Independent security assessment by NetSPI found the Quick Share AirDrop implementation to

Key Findings Sturnus is a new Android banking trojan with full device-takeover capabilities It targets secure messaging apps like WhatsApp, Telegram, and Signal to bypass encryption and steal sensitive data Sturnus employs sophisticated techniques like HTML overlays and accessibility-based keylogging to capture on-screen content, including messages, contacts, and credentials The malware enables remote control of infected devices through screen mirroring and a structured UI ma

Key Findings New Android banking trojan called Sturnus enables credential theft and full device takeover for financial fraud Key differentiator is ability to bypass encrypted messaging on apps like WhatsApp, Telegram, and Signal Captures content directly from device screen after decryption, allowing monitoring of private communications Stages overlay attacks to steal banking credentials and leverages accessibility services for extensive device control Blocks uninstallation at

Key Findings: The North Korea-affiliated threat actor known as Konni (aka Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia) has been attributed to a new set of attacks targeting both Android and Windows devices for data theft and remote control. Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs. The attackers exploited Google's asset tracking services Find Hub (formerly Find My De

Key Findings Researchers discovered a previously unknown Android spyware family dubbed LANDFALL, which leveraged a zero-day vulnerability (CVE-2025-21042) in Samsung's image processing library to compromise Galaxy devices. The campaign, active since mid-2024, appears to have targeted users in the Middle East, with the spyware embedded inside malicious DNG image files sent through WhatsApp. The exploit relies on malformed DNG (Digital Negative) image files, exploiting a flaw i

Key Findings: A new commercial-grade spyware called "Landfall" has been targeting Samsung Galaxy phones in the Middle East since at least mid-2024. Landfall exploited a previously unknown, unpatched vulnerability (zero-day) in Samsung's Android image processing library, tracked as CVE-2025-21042. The spyware was delivered through malicious DNG image files sent via WhatsApp, with no user interaction required (zero-click). Landfall has extensive surveillance capabilities, inclu