Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer operated by Kimsuky APT
https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff
https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff
Medium
Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer
Author: HyeongJun Kim | S2W TALON
π5π1π₯±1π₯΄1
Salvador Stealer: New Android Malware That Phishes Banking Details & OTPs
https://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/
https://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/
ANY.RUN's Cybersecurity Blog
Salvador Stealer: Analysis of New Mobile Banking Malware
Discover detailed analysis of Salvador Stealer, a new Android malware targeting users of mobile banking apps.
π6β€2π1π1
[pdf] DVa: Extracting Victims and Abuse Vectors from Android Accessibility Malware
https://www.usenix.org/system/files/sec24summer-prepub-136-xu-haichuan.pdf
https://www.usenix.org/system/files/sec24summer-prepub-136-xu-haichuan.pdf
π5β€1π1π1
Android Malware Disguised as Government Alerts distributed in India via WhatsApp
https://blogs.quickheal.com/beware-malicious-android-malware-disguised-as-government-alerts/
https://blogs.quickheal.com/beware-malicious-android-malware-disguised-as-government-alerts/
Quick Heal Blog
Beware: Malicious Android Malware Disguised as Government Alerts.
In our high-tech world, sneaky cyber threats can pop up anywhere. Lately, weβve spotted sneaky malware on Android...
π7π€‘3π2β€1π1π₯±1
BADBAZAAR and MOONSHINE: Spyware targeting Uyghur, Taiwanese and Tibetan groups and civil society actors
https://www.ncsc.gov.uk/news/advisory-badbazaar-moonshine
https://www.ncsc.gov.uk/news/advisory-badbazaar-moonshine
www.ncsc.gov.uk
BADBAZAAR and MOONSHINE: Spyware targeting Uyghur, Taiwanese and Tibetan groups and civil society actors
The NCSC and partners publish new information and mitigation measures for those at high risk from two spyware variants.
π5β€2
BADBAZAAR and MOONSHINE: Technical analysis and mitigations
https://www.ncsc.gov.uk/news/advisory-badbazaar-moonshine-technical-analysis-mitigations
https://www.ncsc.gov.uk/news/advisory-badbazaar-moonshine-technical-analysis-mitigations
www.ncsc.gov.uk
BADBAZAAR and MOONSHINE: Technical analysis and mitigations
This advisory provides new and collated threat intelligence on two variants of spyware known as BADBAZAAR and MOONSHINE, and includes advice for app store operators, developers and social media companies to help keep their users safe.
β€4π2
Overview of the PlayPraetor Masquerading Party Variants
https://www.ctm360.com/reports/play-masquerading-party-report
https://www.ctm360.com/reports/play-masquerading-party-report
Ctm360
Play Masquerading Party (PMP) Report | CTM360βs Analysis of Android Scam Variants
CTM360βs Play Masquerading Party (PMP) report exposes an evolution of the PlayPraetor scam, highlighting fake Play Store pages, phishing apps, and RAT variants targeting global users
π5β€2π1
SMS Pumping: How Criminals Turn Your Messaging Service into Their Cash Machine
https://www.group-ib.com/blog/sms-pumping/
https://www.group-ib.com/blog/sms-pumping/
Group-IB
SMS Pumping: How Criminals Turn Your Messaging Service into Their Cash Machine
SMS Pumping fraud is a deceptive scheme where fraudsters manipulate SMS verification systems to inflate non-organic traffic and generate revenue at businessesβ expense. Discover how it works and ways to mitigate it.
β€8π1π1
A Random and Simple Tip: Advanced Analysis of JNI Methods Using Frida
https://revflash.medium.com/a-random-and-simple-tip-advanced-analysis-of-jni-methods-using-frida-8b948ffcc8f5
https://revflash.medium.com/a-random-and-simple-tip-advanced-analysis-of-jni-methods-using-frida-8b948ffcc8f5
Medium
A Random and Simple Tip: Advanced Analysis of JNI Methods Using Frida
In this article, I will share a tip for those interested in performing a more detailed analysis of the behavior of native methods, with aβ¦
π6
Newly Registered Domains Distributing SpyNote Malware
https://dti.domaintools.com/newly-registered-domains-distributing-spynote-malware/
https://dti.domaintools.com/newly-registered-domains-distributing-spynote-malware/
DomainTools Investigations | DTI
Newly Registered Domains Distributing SpyNote Malware - DomainTools Investigations | DTI
Deceptive websites hosted on newly registered domains are being used to deliver AndroidOS SpyNote malware. These sites mimic the Google Chrome install page on the Google Play Store.
π6
Android Kernel Adventures: Insights into Compilation, Customization and Application Analysis
https://revflash.medium.com/android-kernel-adventures-insights-into-compilation-customization-and-application-analysis-d20af6f2080a
https://revflash.medium.com/android-kernel-adventures-insights-into-compilation-customization-and-application-analysis-d20af6f2080a
Medium
Android Kernel Adventures: Insights into Compilation, Customization and Application Analysis
This article marks the first in a series aimed at sharing my adventures, personal notes, and insights into the Android kernel. My focusβ¦
π7π5π₯2π2
Rethinking Emulation for Fu(zzi)n(g) and Profit: Near-Native Rehosting for Embedded ARM Firmware
[Presentation] https://www.youtube.com/watch?v=o_ckTnTQlfs
[Slides] https://github.com/binarly-io/Research_Publications/blob/main/REverse_2025/Near-Native%20Rehosting%20for%20Embedded%20ARM%20Firmware.pdf
[Presentation] https://www.youtube.com/watch?v=o_ckTnTQlfs
[Slides] https://github.com/binarly-io/Research_Publications/blob/main/REverse_2025/Near-Native%20Rehosting%20for%20Embedded%20ARM%20Firmware.pdf
YouTube
RE//verse 2025: Rethinking Emulation for Fu(zzi)n(g) (Lukas Seidel)
Full title: Rethinking Emulation for Fu(zzi)n(g) and Profit: Near-Native Rehosting for Embedded ARM Firmware
Slides: https://github.com/binarly-io/Research_Publications/blob/main/REverse_2025/Near-Native%20Rehosting%20for%20Embedded%20ARM%20Firmware.pdf
β¦
Slides: https://github.com/binarly-io/Research_Publications/blob/main/REverse_2025/Near-Native%20Rehosting%20for%20Embedded%20ARM%20Firmware.pdf
β¦
π8β€1
Shibai: Trojanized version of WhatsApp that comes preinstalled on some low-cost Android phones. Altered using LSPatch, it replaces cryptocurrency addresses in messages and redirects update URLs to retain control
https://news.drweb.com/show/?lng=en&i=15002&c=5
https://news.drweb.com/show/?lng=en&i=15002&c=5
Dr.Web
Nice chatting with you: what connects cheap Android smartphones, WhatsApp and cryptocurrency theft?
Every year, cryptocurrencies become more and more common as a payment method. According to the data for 2023, in developed countries about 20% of the population has at some time used such a means of payment, and in developing countries, where the bankingβ¦
π9π1
Magisk for Mobile Pentesting: Rooting Android Devices and Building Custom Modules
Part 1: https://medium.com/@justmobilesec/magisk-for-mobile-pentesting-rooting-android-devices-and-building-custom-modules-part-i-3ca7429f1faf
Part 2: https://medium.com/@justmobilesec/magisk-for-mobile-pentesting-rooting-android-devices-and-building-custom-modules-part-ii-22badc498437
Part 1: https://medium.com/@justmobilesec/magisk-for-mobile-pentesting-rooting-android-devices-and-building-custom-modules-part-i-3ca7429f1faf
Part 2: https://medium.com/@justmobilesec/magisk-for-mobile-pentesting-rooting-android-devices-and-building-custom-modules-part-ii-22badc498437
Medium
Magisk for Mobile Pentesting: Rooting Android Devices and Building Custom Modules (Part I)
TL;DR #1: Rooting an Android device allows for system modifications, bypassing restrictions, and performing security testing. This postβ¦
π₯20π5β€3π1π±1
Intercepting HTTPS Communication in Flutter: Going Full Hardcore Mode with Frida
https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/
https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/
π₯15π6π1
B(l)utter: Flutter Mobile Application Reverse Engineering Tool
https://github.com/worawit/blutter
https://github.com/worawit/blutter
GitHub
GitHub - worawit/blutter: Flutter Mobile Application Reverse Engineering Tool
Flutter Mobile Application Reverse Engineering Tool - worawit/blutter
π17β€4π₯3π1
SpyMax Variant Targeting Chinese-Speaking Users
https://threatmon.io/spymax-variant-targeting-chinese-speaking-users/
https://threatmon.io/spymax-variant-targeting-chinese-speaking-users/
ThreatMon
SpyMax Variant Targeting Chinese-Speaking Users
SpyMax Variant Targeting Chinese-Speaking Users: In early 2025, our threat intelligence team analyzed a highly sophisticated Android spyware.
π11π2
Android spyware trojan targets Russian military personnel who use Alpine Quest mapping software
https://news.drweb.com/show/?i=15006&lng=en&c=5
https://news.drweb.com/show/?i=15006&lng=en&c=5
Dr.Web
Android spyware trojan targets Russian military personnel who use Alpine Quest mapping software
Doctor Webβs experts have discovered Android.Spy.1292.origin, spyware whose main target is Russian military personnel. The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one ofβ¦
π9
Everyone knows your location: tracking myself down through in-app ads
Part 1: https://timsh.org/tracking-myself-down-through-in-app-ads/
Part 2: https://timsh.org/everyone-knows-your-location-part-2-try-it-yourself/
Plus a guide that helps to collect, analyze and visualize requests sent by a mobile device while using some app: https://github.com/tim-sha256/analyse-ad-traffic
Part 1: https://timsh.org/tracking-myself-down-through-in-app-ads/
Part 2: https://timsh.org/everyone-knows-your-location-part-2-try-it-yourself/
Plus a guide that helps to collect, analyze and visualize requests sent by a mobile device while using some app: https://github.com/tim-sha256/analyse-ad-traffic
tim.sh
Everyone knows your location
How I tracked myself down using leaked location data in the in-app ads, and what I found along the way.
π₯17β€1π1
SuperCard X: exposing a Chinese-speaker MaaS for NFC Relay fraud operation
https://www.cleafy.com/cleafy-labs/supercardx-exposing-chinese-speaker-maas-for-nfc-relay-fraud-operation?s=03
https://www.cleafy.com/cleafy-labs/supercardx-exposing-chinese-speaker-maas-for-nfc-relay-fraud-operation?s=03
Cleafy
SuperCard X: exposing a Chinese-speaker MaaS for NFC Relay fraud operation | Cleafy
A new fraud campaign based on the Android malware "SuperCard X" and innovative NFC relay techniques is impacting Italian's banking. Read our latest report to learn more.
π©8π₯4β€1π1
CVE-2024-53104 proof of concept: Privilege escalation security flaw in the Android Kernel's USB Video Class driver that allows authenticated local threat actors to elevate privileges in low-complexity attacks
https://github.com/zhuowei/facedancer/blob/rawgadget2/examples/camera.py#L15
https://github.com/zhuowei/facedancer/blob/rawgadget2/examples/camera.py#L15
GitHub
facedancer/examples/camera.py at rawgadget2 Β· zhuowei/facedancer
Fork of https://github.com/xairy/Facedancer/tree/rawgadget with patches for testing CVE-2024-53197 - zhuowei/facedancer
π₯19π4