Threat Lab

In response to the latest zero-day vulnerability discovered in a new version of iOS, Apple released an urgent software update for iOS 15.0.1 to patch a serious vulnerability in the IOMobileFrameBuffer. This vulnerability was noted to be knowingly exploited in the wild and could allow an application to execute code with kernel privileges.

Security researchers recently unveiled a long-standing campaign that was being carried out by a new Iranian threat actor known as MalKamak. The campaign leveraged a previously unknown remote access trojan (RAT) called ShellClient with the end goal of stealing sensitive information about critical assets, organizations' infrastructure, and technology.

Apple released an urgent software update for iOS 14.7 to patch a serious vulnerability that was found to be exploitable by attackers using the advanced surveillanceware known as Pegasus.

A data leak of more than 50,000 phone numbers revealed a list of identified persons of interest by clients of NSO since 2016. NSO develops Pegasus, a highly advanced mobile malware that infects iOS and Android devices.

Kaseya recently fell victim to a ransomware attack executed by the REvil group. In all between 800 and 1,500 businesses down the chain were affected by this attack.

Lookout Researchers have discovered almost 200 Android apps, including 25 on the Play Store, scamming cryptocurrency investors out of money.

A number of apps that come preinstalled on Android devices were found to have vulnerabilities that could be exploited on any Samsung device.

Attackers launched a ransomware attack against the Colonial Pipeline that demonstrated how cybercrime groups exploit diminishing visibility, legacy security systems, and mobile devices to successfully extort money from targets.

There were a number of vulnerabilities discovered in the Pulse Secure VPN that are actively being exploited by threat actors that can bypass authentication to install malware in enterprise infrastructure.

Attackers are using phone numbers leaked from Facebook to socially engineer mobile users into downloading malicious apps infected with the FluBot banking trojan

The expanded remote workforce has increased organizations’ threat surface in the cloud. This has resulted in a surge of remote attacks and breaches on Microsoft Office 365 collaboration services.

Apple released an urgent software update to iOS 14.4 to patch a serious vulnerability in Apple’s WebKit browser engine. A successful exploit could allow malicious websites to perform arbitrary cross-scripting on the device.

A customizable Malware-as-a-Service banking trojan delivered through any app with messaging capabilities.

Australian government officials were targeted by a mobile phishing campaign through Telegram and WhatsApp. Threat actors gained access to victims' address book and could send messages on their behalf.

Android surveilllanceware developed by a pro-India APT tageting Pakistani official.

The Solarwinds incident exemplified the effectiveness of a software supply chain attack, which can be an effective tactic for compromising a high volume of devices with a single infected software update.

A blackmail and sextortion campaign targeting individual users on both iOS and Android

This vulnerability affects Chrome for Android v86.0.4240.185 and below. In the event of a successful exploit, the actor could have access to any capability that the browser has.

This is a variant of an existing mobile ransomware with novel techniques and behavior on Android devices.

This vulnerability in Instagram for Android app versions prior to 120.0.0.26.128 could allow attackers to take control of Instagram's functionality and permissions.

This vulnerability in the Firefox for Android was discovered in the app's SSDP protocols that could allow an attacker to trigger actions on a victim’s device if the two are connected to the same Wi-Fi network.

The advertising SDK by Mintegral used in iOS apps had some risky permissions that could violate end-user privacy.

This Twitter phone spear phishing attack compromised the accounts of influential individuals and exemplifies the effectiveness of voice phishing, also known as vishing.

Right after India banned TikTok, a malicious app called TikTok PRO circulated the country through email and social media.

A full technical report breaking down a Chinese surveillanceware campaign targeting the Uyghur ethnice minority group.

SilkBean is one of many families discovered in this long-running mobile APT surveillance campaign

Unc0ver is a widely used jailbreak that has been present in the market for some time, and more recently started taking advantage of an iOS kernel vulnerability discovered in 2019.

This new variant of the banking malware Cerberus has been observed being distributed via a breached MDM.

A vulnerability in the native iOS Mail app allowed an attacker to execute an attack with zero or one-click.

There were over 70 Android apps associated with this long-running malware campaign.

LightSpy was the malware behind the Poisoned News watering hole campaign on iOS.

The Voatz mobile voting app, which was supposedly secured by another security SDK provider, showed many flaws in the app's security.

This attackers behind this remote access trojan (RAT) attack used social engineering to target Israeli Defense Force (IDF) soldiers.

Phishing AI discovered this mobile-only phishing campaign targeting North American banking customers.

Apple announced three exploitable vulnerabilities in iOS 14.3. Two of them were tied to the Apple WebKit, while the third was a vulnerability of the device kernel.

Amazon's CEO was targeted by a mobile advanced persistent threat (APT) that enabled the attacker to exfiltrate data with a compromised video file sent to the victim via WhatsApp.

ToTok is a very popular chat app used in the Middle East that was discovered to be spying on all its users despite not having any nefarious permissions built into the app.

This malware can deploy second-stage malware payloads with dangerous capabilities such as stealing user login information, keylogging, deploying ransomware, and bypassing MFA with SMS interception.

AzSpy appeared to be part of a commercial Android spy platform, known as FullSpy, with a user login page to monitor infected devices.

This campaign targeted non-governmental organizations around the world, including but not limited to UN and humanitarian organizations.

ArmaSpy was a surveillance family, which appears to have been targeting Iranian users since late 2016 with new samples discovered as recently as mid-2019

Phishing AI discovered this campaign targeting Verizon employees on mobile devices.

This phishing campaign impersonated local governments around the United State with the intention of stealing sensitive personal and business-related data.

SimJacker is a vulnerability in the SIM card of certain iOS and Android devices that is executed via a specially crafted SMS message sent to the target device.

Joker is a widely-used trojan that continues to appear in apps on the Google Play Store.

Monokle is an advanced and highly-targeted surveillanceware developed by Russian firm STC. It has a number of highly unique capabilities for infecting and stealing data from Android devices

A full technical report breaking down a sophisticated mobile malware campaign developed by STC, a Russian military contractor that interfered with the 2016 US Presidential elections

This is a family of applications that infects programs by adding its own components to a target Android Package (APK) without changing its digital signature.

BeiTaAd was a well-obfuscated advertising plugin that forcibly displayed ads on the user’s lock screen, triggered video and audio advertisements even while the phone is asleep.

Phishing AI discovered this campaign targeting AT&T employees on mobile devices.

eSurvAgent is a sophisticated Android surveillanceware agent.

A full technical breakdown of the notorious sophisticated spyware software developed by NSO Group.

A full technical breakdown of the Android variant of the notorious sophisticated spyware software developed by NSO Group.

Attackers were able to gain access to EA's infrastructure with employee credentials in cookies from Slack and exfiltrate almost 1TB of data.