NetHunter Wi-Fi and Rubber Ducky mobile combo
Android NetHunter kernel supports many popular external wifi chipsets including lot of cheap adapters.
Rubber Ducky works without any problems on both devices so far.
#TicWatchPro
#OnePlus7
Hacking into Android in 32 seconds
Samsung S7 is connected to Pixel as HID device (keyboard) that tries to brute force lock screen PIN and then download, install and launch Metasploit payload
Covid Android Ransomware
If you installed malicious Coronavirus Tracker app that locked your smartphone and requested ransom, use "4865083501" code to unlock it.
Key is hardcoded.
Don't install these apps from Google Play - it's malware.
Details:
-13 apps
-all together 560,000+ installs
-after launch, hide itself icon
-downloads additional APK and makes user install it (unavailable now)
-2 apps are
#Trending
-no legitimate functionality
-reported
How easy it is to make user believe apps are highly downloaded(popular) and probably worth of trying.
These are not number of app installs, these are developer names.
I just found the most honest "Virus Cleaner 2018" on Google Play. Not only it detects itself as vulnerable it also recommends me to uninstall it.
#InstallOnlyReliableSecurityApps
Looks like someone successfully created PoC for Android CVE-2019-2107 RCE
PoC: You can own the mobile by watching a video with payload. Should works on Android 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9.
Exploitation of LAN vulnerability found in Firefox for Android
I tested this PoC exploit on 3 devices on same wifi, it worked pretty well.
I was able to open custom URL on every smartphone using vulnerable Firefox (68.11.0 and below) found by
@init_string
Remotely Spying via
#FaceTime
FaceTime any iOS 12.1 or later and you can remotely spy on them (audio and video) before they accept incoming call.
Courtesy of
@BmManski
Another click farm in China with 8,000 devices generates fake engagement
So, lets wait when someone hacks it for the first time. Is its control panel on Shodan already?
Uninstall these apps!
15 apps with more than 400k+ installs in total found on Google Play.
These apps can download additional payload and display + click on "invisible" ads. Everything is hidden from user's view.
Scam iOS apps has been found on Apple App Store tricking users to pay over $100
Apps ask for fingerprint right at the moment when paying pop-up shows, which is accepted by user fingerprint.
Mobile click farm, birthplace of fake engagement.
Fake impressions, boosts new social media trends, ad fraud, helps create influencers, leaves fake review, spreads likes, shares, install apps...
How to create fake traffic jams in Google Maps with bucket full of smartphones
Different perspective:
1) Buy mobile bots
2) Spoof GPS location
3) Control traffic
What is this app rating?
Developer created tricky app icon to make potential users believe it has over 4 stars.
Purpose of the app is to trick user into activating 3 day trial for basic photo editing app.
If user forgets to cancel, it costs him โฌ49.99/week.
This is Bob. Bob doesn't care about his mobile privacy.
Bob:
- doesn't close private tabs
- doesn't close browser
- doesn't lock his device
- face it up front in pocket
- goes into public transport
- take a nap
Don't be like a Bob. Be smart.
RCE in Adobe Acrobat Reader for Android (CVE-2021-40724)
$10,000 bounty received from GPSRP
Excellent exploitation and write-up by
@hulkvision
Report:
Quick summary how it was achieved๐
Spoofing any website on Xiaomi's pre-installed browser
Be aware, it is NOT fixed yet and it could be misused for phishing credentials.
Discovered by
@payloadartist
Android Legitimate Spyware with 10M+ installs.
App
#Onavo
owned by Facebook, is VPN service that collects your:
- mobile traffic
- location
- installed/opened apps
- visited websites
This app should hide your traffic & increase privacy, instead it collects it.
New Android malware -
#NGate
- relays NFC data from victimsโ payment cards, via victimsโ compromised mobile phones, to attacker's device waiting at an ATM to withdraw cash
Remove is not Uninstall
Found 3 apps on Google Play with over 700,000 installs that use interesting persistence technique.
When user realizes app is not as described, he can only remove the app icon not uninstall the app itself.
How it works I explained it in the video:
Barcode Scanner app with 5,000,000+ installs became adware.
Should we be now afraid of even popular apps? Developer sold the app or took advantage?
-in 8 months app reached 5M+ installs
-after last update became adware
-uses own lockscreen
-display ads
-removed from Google Play
Android malware can send WhatsApp messages from infected device to spread itself + uses TOR.
What happened in video:
-request to activate accessibility service
-activates device admin
-set itself as default SMS app
-downloads payload
-downloads TOR
Found month ago by
@sh1shk0va
Android Banker found on Google Play with 10K+ installs stole over 10,000 Euros already.
Video example how it misuses accessibility services and overlays banking app (1:09).
Vulnerability in Google's Camera app allowed 3rd party apps to take pictures and video without user knowledge or CAMERA permission.
This happened because of exported CameraActivity that accepted input from other apps. CVE-2019-2234
via
@checkmarx
I tested over 15 fake GPS Navigation apps with over 50,000,000 installs from
#GooglePlay
that violate Google rules.
These apps just open Google Maps or use their API without any additional value for user, except for displaying ads.
Some of them don't even have proper app icon.
Would you use AntiVirus that detect itself as risky app?
This Fake Antivirus 2019 uses only blacklist & whitelist for package names of apps + permissions check. Still forget to whitelist itself.
APKLeaks in action
Handy utility that dumps IPs, URLs, URIs or secrets from analyzed Android app
Now you know where backups are stored and maybe test these ZIPs for DIR traversal ๐
by
@dwisiswant0
Demo of Binance wallet theft using Accessibility services
Android PoC malware misuses accessibility to take control over device to withdraw Bitcoins without any user interaction.
Binance swiftly fixed the issue.
Research & video by
@yonas_leguesse
Paper:
Trojanized
#WhatsApp
and
#Telegram
apps replace cryptocurrency wallet addresses in messages
Some of them use OCR to recognize mnemonic phrase text from screenshots and photos stored on the devices to steal cryptocurrency funds
#Android
#Windows
Android SMS Worm spreads in
#India
๐ฎ๐ณ
-spreads via SMS and WhatsApp as "Free 25GB Offer" app
-only for Jio customers
Goal: spread & ads monetization
App in background sends SMS to contacts if they have Jio number prefix.
Demo: Download + Install + Open
Found by
@srbhdubey
After couple requests I created Telegram Channel
To stay up-to-date with mobile security feel free to Join and share.
Topics: Security & privacy, malware on Google Play, vulnerabilities, bug bounty hunting, security tips, tutorials, penetration testing..
This is how Android malware steals recovery phrase from Trust Crypto Wallet without user interaction and restricts access to victims smartphone by blocking all the actions such as removing it and seeing any unauthorized withdraws
Full demo:
Alberto Segura (https://infosec.exchange/@asegura)
CSRF + XSS + SMS spoofing + Android deep link URL redirection
Great example of chaining low impact vulnerabilities in
#TikTok
to remotely manipulate account content
-delete user video
-upload user video
-make "private" videos "public"
via
@_CPResearch_
How to prevent this happening
-charge you smartphone using you own adapter if possible
-don't use trivial PIN or password lock screen protection
-use mobile security software that will detect Metasploit payload
Android WhatsApp Worm?
Malware spreads via victim's WhatsApp by automatically replying to any received WhatsApp message notification with a link to malicious Huawei Mobile app.
Message is sent only once per hour to the same contact.
It looks to be adware or subscription scam.
The First Android cryptocurrency clipboard exchanger found on Google Play.
Its goal is to change copied address of cryptocurrency wallet of recipient for the attacker's.
Malware also impersonates
@metamask_io
service and lures PK, password or phrase.
SMS worm impersonates Covid-19 vaccine free registration
Android SMS worm tries to spread via text messages as fake free registration for Covid-19 vaccine - targets India ๐ฎ๐ณ
It can spread itself via SMS to victim contacts with link to download this malware.
I just finished Web Security Academy labs
It's great learning source with free trainings + labs to test your skills:
-SQL injection
-XSS
-OS command injection
-DIR traversal
Hope, we can expect more topics to come
@WebSecAcademy
@Burp_Suite
@PortSwigger
Almost every Android phone - except for Pixel - is still vulnerable to this RCE bug.
That's because Manufacturers don't push security updates right away.
BTW, Samsung devices are the most popular unpatched phones on the planet.
@Swati_THN
@TheHackersNews
Scareware Youtube ads "Your Phone has Virus โ ๏ธ" techniques are misused to promote lousy Android antivirus app.
BTW, this app has 100K+ installs and has been available on Google Play only since Jul 5, 2019 without any reference or web site
P.S. So, my phone has 13 or 23 viruses?
Don't be quiet, no matter who is listening.
Recently discovered Android banking Trojan on Google Play by
@ThreatFabric
had malicious package name containing my name and hi_there message for me.
If you are reading this, next time I want my profile_pic signed by you in there. :)
Android
#StrandHogg
vulnerability
Vulnerability allows malicious app to masquerade as any other app on the device.
So, if you launch Facebook, malware is executed.
See video demo how it works.
@Promon_Shield
Beware of another fake version of
@myetherwallet
found on Google Play Store with lots of fake positive reviews. It tries to steal user's private key.
BTW there isn't any official MyEtherWallet on GP, yet.
#reported