Weaponizing LSPosed: Remote SMS Injection and Identity Spoofing in Modern Payment Ecosystems
https://www.cloudsek.com/blog/weaponizing-lsposed-remote-sms-injection-and-identity-spoofing-in-modern-payment-ecosystems-2
https://www.cloudsek.com/blog/weaponizing-lsposed-remote-sms-injection-and-identity-spoofing-in-modern-payment-ecosystems-2
Cloudsek
Weaponizing LSPosed: Remote SMS Injection and Identity Spoofing in Modern Payment Ecosystems | CloudSEK
LSPosed, a powerful framework for rooted Android devices, has been weaponized by attackers to remotely inject fraudulent SMS messages and spoof user identities in modern payment ecosystems. This report exposes a critical vulnerability: the exploitation ofβ¦
π12π€4π2β€1π₯1
Oblivion RAT - An Android Spyware Platform With a Built-In APK Factory
https://iverify.io/blog/oblivion-rat-android-spyware-analysis
https://iverify.io/blog/oblivion-rat-android-spyware-analysis
iverify.io
Oblivion RAT - An Android Spyware Platform With a Built-In APK Factory
Technical analysis of Oblivion RAT Android malware: $300/month MaaS platform with APK builder, AccessibilityService hijacking, and fake ZIP encryption.
β€12π2π₯1
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/
https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/
Google Cloud Blog
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors | Google Cloud Blog
DarkSword is a new iOS exploit chain that leverages multiple zero-day vulnerabilities to fully compromise iOS devices.
π11β€6π₯4
Perseus: DTO malware that takes notes
https://www.threatfabric.com/blogs/perseus-dto-malware-that-takes-notes
https://www.threatfabric.com/blogs/perseus-dto-malware-that-takes-notes
ThreatFabric
Perseus: DTO malware that takes notes
Perseus is a new Device Takeover (DTO) malware family that specifically looks for user-generated content stored in note taking applications.
π₯14β€4
Decompiling an Android Application Written in .NET MAUI 9 (Xamarin)
https://mwalkowski.com/post/decompiling-an-android-application-written-in-net-maui-9-xamarin/
https://mwalkowski.com/post/decompiling-an-android-application-written-in-net-maui-9-xamarin/
MichaΕ Walkowski
Decompiling an Android Application Written in .NET MAUI 9 (Xamarin) | MichaΕ Walkowski
.NET MAUI, as the successor to Xamarin, enables the development of cross-platform applications, including Android, using C#. In previous versions (up to .NET MAUI 8), applications stored their DLL libraries in assemblies.blob and assemblies.manifest filesβ¦
π17π1
SSL pinning bypass setup for iOS (No Jailbreak) using OpenVPN + iptables traffic redirection to proxy (Burp Suite / mitmproxy)
https://github.com/SahilH4ck4you/iOS-SSL-pinning-bypass-without-jalibreak
https://github.com/SahilH4ck4you/iOS-SSL-pinning-bypass-without-jalibreak
GitHub
GitHub - SahilH4ck4you/iOS-SSL-pinning-bypass-without-jalibreak: SSL pinning bypass setup for iOS (No Jailbreak) using OpenVPNβ¦
SSL pinning bypass setup for iOS (No Jailbreak) using OpenVPN + iptables traffic redirection to proxy (Burp Suite / mitmproxy) - SahilH4ck4you/iOS-SSL-pinning-bypass-without-jalibreak
π13π€‘10π©4π3β‘2π₯±2
Microsoft Authenticatorβs Unclaimed Deep Link: A Full Account Takeover Story (CVE-2026β26123)
https://khaledsec.medium.com/microsoft-authenticators-unclaimed-deep-link-a-full-account-takeover-story-cve-2026-26123-e0409a920a02?sk=df506976e7c2d15fd29e70725873f6e2
https://khaledsec.medium.com/microsoft-authenticators-unclaimed-deep-link-a-full-account-takeover-story-cve-2026-26123-e0409a920a02?sk=df506976e7c2d15fd29e70725873f6e2
Medium
Microsoft Authenticatorβs Unclaimed Deep Link: A Full Account Takeover Story (CVE-2026β26123)
When your authentication app becomes the weakest link: How an unclaimed deep link exposed millions of Microsoft accounts
β€11β‘3π₯°2π1
Coruna: the framework used in Operation Triangulation
https://securelist.com/coruna-framework-updated-operation-triangulation-exploit/119228/
https://securelist.com/coruna-framework-updated-operation-triangulation-exploit/119228/
π5β€4π4π₯1
Analysis of Android FvncBot banker campaign targeting Polish users
https://cert.pl/en/posts/2026/03/fvncbot-analysis/
https://cert.pl/en/posts/2026/03/fvncbot-analysis/
cert.pl
Analysis of FvncBot campaign
CERT Polska has analyzed an SGB-branded Android malware sample from the FvncBot campaign targeting Poland. The app installs a second-stage implant, coerces the victim into enabling accessibility, and registers the device to a backend that issues per-deviceβ¦
β‘6
Operation NoVoice: Rootkit Tells No Tales (link to Android Triada family)
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/
McAfee Blog
Operation NoVoice: Rootkit Tells No Tales | McAfee Blog
Authored By: Ahmad Zubair Zahid McAfeeβs mobile research team identified and investigated an Android rootkit campaign tracked as Operation Novoice. The
β‘6
Analysis of cifrat: could this be an evolution of a mobile RAT?
https://cert.pl/en/posts/2026/04/cifrat-analysis/
https://cert.pl/en/posts/2026/04/cifrat-analysis/
cert.pl
Analysis of cifrat: could this be an evolution of a mobile RAT?
CERT Polska analyzed a Booking themed Android malware chain delivered through phishing and a fake update website. The sample is a multistage dropper that installs a hidden accessibility controlled RAT with WebSocket C2.
π9
PoC of DarkSword iOS exploit tested on iOS 17.1.1 - 26.0.1
https://github.com/rooootdev/lara
https://github.com/rooootdev/lara
GitHub
GitHub - rooootdev/lara: WIP darksword kexploit implement
WIP darksword kexploit implement. Contribute to rooootdev/lara development by creating an account on GitHub.
β€5π4π©1
Canis C2 Exposed: Previously Undocumented Cross-Platform Surveillance Framework Targeting Japan pivoting from Android sample
https://hunt.io/blog/canis-c2-exposed-cross-platform-surveillance-framework-japan
https://hunt.io/blog/canis-c2-exposed-cross-platform-surveillance-framework-japan
hunt.io
Canis C2 Exposed: Previously Undocumented Cross-Platform Surveillance Framework Targeting Japan
An exposed API on a Japanese phishing server revealed Canis C2, a previously undocumented surveillance framework targeting Android, iOS, Windows, Linux, and macOS.
β€6π2
Hack-For-Hire Operation Linked to BITTER APT (Android ProSpy spyware)
https://www.lookout.com/threat-intelligence/article/bitter-hack-for-hire
https://www.lookout.com/threat-intelligence/article/bitter-hack-for-hire
Lookout
Beyond BITTER: MENA Civil Society Targeted in Hack-For-Hire Operation Linke | Threat Intel
π4
Intent redirection vulnerability in third-party EngageLab SDK exposed millions of Android wallets to potential risk
https://www.microsoft.com/en-us/security/blog/2026/04/09/intent-redirection-vulnerability-third-party-sdk-android/
https://www.microsoft.com/en-us/security/blog/2026/04/09/intent-redirection-vulnerability-third-party-sdk-android/
Microsoft News
Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk
A severe Android intentβredirection vulnerability in a widely deployed SDK exposed sensitive user data across millions of apps. Microsoft researchers detail how the flaw works, why it matters, and how developers can mitigate similar risks by updating affectedβ¦
π5β€3
Mirax: a new Android RAT turning infected devices into potential residential proxy nodes
https://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes
https://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes
Cleafy
Mirax: a new Android RAT turning infected devices into potential residential proxy nodes
Mirax, a new Android RAT and banking malware operating as a private MaaS is actively targeting Spanish-speaking countries via Meta ad campaigns.
π11β€3
Giving an Agent a Rooted Android Phone
https://workers.io/blog/autonomous-mobile-pentesting/
https://workers.io/blog/autonomous-mobile-pentesting/
Workers IO
Giving an Agent a Rooted Android Phone
So what actually happens if you hand an AI agent root access to an Android phone, plus a runtime hooking framework? In this case, it went straight to reverse-engineering Subway Surfers and figured out how to rack up unlimited coins.
β€9π3
Pre-installed C2 Infrastructure and RAT Payload on Android Projectors
https://github.com/Kavan00/Android-Projector-C2-Malware
https://github.com/Kavan00/Android-Projector-C2-Malware
GitHub
GitHub - Kavan00/Android-Projector-C2-Malware: Breakdown of a c2-network of chinese beamers - SilentSDK-Analysis
Breakdown of a c2-network of chinese beamers - SilentSDK-Analysis - Kavan00/Android-Projector-C2-Malware
π7β€3π1
Reversing XAMARIN Mobile Applications
https://mrbypass.medium.com/reversing-xamarin-mobile-applications-3910a857444d
https://mrbypass.medium.com/reversing-xamarin-mobile-applications-3910a857444d
Medium
π Reversing XAMARIN Mobile Applications
π± What is XAMARIN?
π5
MalFixer: toolkit for inspecting and recovering malformed Android APK files (repairs corrupted ZIP entries, decodes and reconstructs malformed Android manifests, and extracts or sanitises problematic asset files)
https://github.com/Cleafy/Malfixer
https://github.com/Cleafy/Malfixer
GitHub
GitHub - Cleafy/Malfixer: MalFixer is a comprehensive toolkit for inspecting and recovering malformed Android APK files
MalFixer is a comprehensive toolkit for inspecting and recovering malformed Android APK files - Cleafy/Malfixer
β€10π€£3