PoC for CVE-2024-27804, an iOS/macOS kernel vulnerability that leads to the execution of arbitrary code with kernel privileges
https://r00tkitsmm.github.io/fuzzing/2024/05/14/anotherappleavd.html
https://r00tkitsmm.github.io/fuzzing/2024/05/14/anotherappleavd.html
My interesting research.
CVE-2024-27804 Vulnerability in AppleAVD
https://github.com/R00tkitSMM/CVE-2024-27804
๐19๐3โค1
New Android Banking Trojan named Antidot Masquerades as Fake Google Play Updates
https://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/
https://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/
Cyble
New Antidot Trojan Disguised As Fake Google Play Updates
Discover the 'Antidot' Android Banking Trojan: a fake Google Play update that steals credentials using overlay attacks and remote control techniques.
๐ค11๐3๐2๐คก2๐ฅฑ2โค1
Mobile Malware Analysis of Android banking trojan Blackrock
https://8ksec.io/mobile-malware-analysis-part-7-blackrock/
https://8ksec.io/mobile-malware-analysis-part-7-blackrock/
8kSec - 8kSec is a cybersecurity research & training company. We provide high-quality training & consulting services.
Mobile Malware Analysis Part 7 โ Blackrock - 8kSec
Read part - 7 of our mobile malware series to learn about Blackrock Malware and tricks it uses like messing with accessibility settings. Read more now!
โค19๐4๐ฅฑ3๐2๐2
Fuzzing Android binaries using AFL++ Frida Mode
https://valsamaras.medium.com/fuzzing-android-binaries-using-afl-frida-mode-57a49cf2ca43
https://valsamaras.medium.com/fuzzing-android-binaries-using-afl-frida-mode-57a49cf2ca43
Medium
Fuzzing Android binaries using AFL++ Frida Mode
You might find this to be a fitting prologue to my earlier post on Creating and using JVM instances in Android C/C++ applicationsโฆ and youโฆ
๐14
Android Firedown Browser app allows a remote attacker to execute arbitrary JavaScript code via an implicit intent (CVE-2024-31974)
https://github.com/actuator/com.solarized.firedown/blob/main/CVE-2024-31974
https://github.com/actuator/com.solarized.firedown/blob/main/CVE-2024-31974
GitHub
com.solarized.firedown/CVE-2024-31974 at main ยท actuator/com.solarized.firedown
CVE-2024-31974. Contribute to actuator/com.solarized.firedown development by creating an account on GitHub.
๐21๐คจ4
Technical Analysis of Anatsa (a.k.a. TeaBot) Campaigns: An Android Banking Malware Active in the Google Play Store
https://www.zscaler.com/blogs/security-research/technical-analysis-anatsa-campaigns-android-banking-malware-active-google
https://www.zscaler.com/blogs/security-research/technical-analysis-anatsa-campaigns-android-banking-malware-active-google
Zscaler
Anatsa Campaign Technical Analysis | ThreatLabz
Explore how Anatsa distributes Android malware by using PDF and QR code reader decoys to lure victims through the Google Play store.
๐15
PCTattletale stalkerware leaks victims' screen recordings to entire Internet
https://www.ericdaigle.ca/pctattletale-leaking-screen-captures/
https://www.ericdaigle.ca/pctattletale-leaking-screen-captures/
www.ericdaigle.ca
Eric Daigle
Eric Daigle' personal website
๐14๐ฑ2
PS4 PPPwn Exploit: Using Android DroidPPPwn app it is possible to jailbreak PS4
Info: https://wololo.net/2024/05/28/ps4-pppwn-exploit-droidpppwn-port-to-android-phones-version-1-1/
DroidPPPwn: https://github.com/deviato/DroidPPPwn
Info: https://wololo.net/2024/05/28/ps4-pppwn-exploit-droidpppwn-port-to-android-phones-version-1-1/
DroidPPPwn: https://github.com/deviato/DroidPPPwn
Wololo.net
PS4 PPPwn Exploit: DroidPPPwn port to Android phones (version 1.1) - Wololo.net
Developer Deviato has released DroidPPPwn, a port of the PPPwn PS4 exploit to Android phones. It relies on the C++ port of the PPPwn exploit (and therefore is reasonably fast to run). As one...
๐18๐ซก5๐ฑ4๐ฅ3
New dalvik bytecode disassembler and graph view
Blog: https://margin.re/2024/05/dalvik-disassembly/
Github: https://github.com/MarginResearch/dalvik
Blog: https://margin.re/2024/05/dalvik-disassembly/
Github: https://github.com/MarginResearch/dalvik
Margin Research
Disassembling Dalvik
In this post, we announce the release of a small library for disassembling Dalvik bytecode. This serves as a foundation for building static analysis tooling for Android applications and system services in Rust. Read on for an example graphview applicationโฆ
๐19โค4
Fake Bahrain Government Android App Steals Personal Data Used for Financial Fraud
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fake-bahrain-government-android-app-steals-personal-data-used-for-financial-fraud/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fake-bahrain-government-android-app-steals-personal-data-used-for-financial-fraud/
McAfee Blog
Fake Bahrain Government Android App Steals Personal Data Used for Financial Fraud | McAfee Blog
Authored by Dexter Shin Many government agencies provide their services online for the convenience of their citizens. Also, if this service could be
๐ฅ18๐4
Android Universal Root
Rooting Pixel 6 and 7 Pro running Android 13 ๐
Analysis and Exploitation of CVE-2023-20938 (exploit a use-after-free vulnerability to elevate privileges to root and disable SELinux)
[blog] https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/
[slides] https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/offensivecon_24_binder.pdf
[PoC demo] https://www.youtube.com/watch?v=7qFb6RUHnnU
Rooting Pixel 6 and 7 Pro running Android 13 ๐
Analysis and Exploitation of CVE-2023-20938 (exploit a use-after-free vulnerability to elevate privileges to root and disable SELinux)
[blog] https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/
[slides] https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/offensivecon_24_binder.pdf
[PoC demo] https://www.youtube.com/watch?v=7qFb6RUHnnU
Withgoogle
Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938 - Android Offensive Security Blog
At OffensiveCon 2024, the Android Red Team gave a presentation (slides) on finding and exploiting CVE-2023-20938, a use-after-free vulnerability in the Android Binder device driver. This post will provide technical details about this vulnerability and howโฆ
๐20โค1๐ฅ1
iOS 16.5.1 safari RCE Analysis (CVE-2023โ37450)
[blog] https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc
[slides] https://www.synacktiv.com/sites/default/files/2024-05/escaping_the_safari_sandbox_slides.pdf
[blog] https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc
[slides] https://www.synacktiv.com/sites/default/files/2024-05/escaping_the_safari_sandbox_slides.pdf
Medium
Clobber the world โ Endless side effect issue in Safari
Clobber the world โ Endless side effect issue in Safari
๐21
Becoming any Android app via Zygote command injection (CVE-2024-31317)
https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html
https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html
Meta Red Team X
Becoming any Android app via Zygote command injection
We have discovered a vulnerability in Android that allows an attacker with the WRITE_SECURE_SETTINGS permission, which is held by the ADB shell and certain privileged apps, to execute arbitrary code as any app on a device. By doing so, they can read and writeโฆ
๐ฅ33๐3โค1
GoldPickaxe exposed: How Group-IB analyzed the face-stealing iOS Trojan and how to do it yourself
https://www.group-ib.com/blog/goldpickaxe-ios-trojan/
https://www.group-ib.com/blog/goldpickaxe-ios-trojan/
Group-IB
GoldPickaxe exposed: How Group-IB analyzed the face-stealing iOS Trojan and how to do it yourself | Group-IB Blog
Learn how to protect your devices against evolving iOS threats.
๐ฅ17๐2โค1
Android (on device) fuzzing using AFL++ Frida Mode
Blog: https://knifecoat.com/Posts/Fuzzing+Redux%2C+leveraging+AFL%2B%2B+Frida-Mode+on+Android+native+libraries
AFL++ Frida Mode Build: https://github.com/FuzzySecurity/afl-frida-build
Blog: https://knifecoat.com/Posts/Fuzzing+Redux%2C+leveraging+AFL%2B%2B+Frida-Mode+on+Android+native+libraries
AFL++ Frida Mode Build: https://github.com/FuzzySecurity/afl-frida-build
KnifeCoat
Fuzzing Redux, leveraging AFL++ Frida-Mode on Android native libraries - KnifeCoat
Intro Welcome fellow antiquarians, after detouring a little bit on the app layer we are back to the native layer. Both parts are very important for Android userland of course. The apps provide interaโฆ
๐ฅ21๐1
Wpeeper: New Android malware hides behind hacked WordPress sites
https://blog.xlab.qianxin.com/playing-possum-whats-the-wpeeper-backdoor-up-to/
https://blog.xlab.qianxin.com/playing-possum-whats-the-wpeeper-backdoor-up-to/
ๅฅๅฎไฟก X ๅฎ้ชๅฎค
Playing Possum: What's the Wpeeper Backdoor Up To?
Summary
On April 18, 2024, XLab's threat hunting system detected an ELF file with zero detections on VirusTotal being distributed through two different domains. One of the domains was marked as malicious by three security firms, while the other was recentlyโฆ
On April 18, 2024, XLab's threat hunting system detected an ELF file with zero detections on VirusTotal being distributed through two different domains. One of the domains was marked as malicious by three security firms, while the other was recentlyโฆ
๐16
DoS McAfee VPN app via deeplink
McAfee Security: Antivirus VPN for Android before 8.3.0 could allow an attacker to cause a denial of service through the use of a malformed deep link (CVE-2024-34406)
https://www.mcafee.com/support/?articleId=000002403&page=shell&shell=article-view
McAfee Security: Antivirus VPN for Android before 8.3.0 could allow an attacker to cause a denial of service through the use of a malformed deep link (CVE-2024-34406)
https://www.mcafee.com/support/?articleId=000002403&page=shell&shell=article-view
๐14๐ฅ2๐ฅฐ2โค1
QR code SQL injection and other vulnerabilities in a popular biometric terminal (CVE-2023-3938, CVE-2023-3939, CVE-2023-3940, CVE-2023-3941, CVE-2023-3942, CVE-2023-3943)
https://securelist.com/biometric-terminal-vulnerabilities/112800/
https://securelist.com/biometric-terminal-vulnerabilities/112800/
Securelist
Analyzing the security properties of a ZKTeco biometric terminal
The report analyzes the security properties of a popular biometric access control terminal made by ZKTeco and describes vulnerabilities found in it.
๐23๐ฅ4
Five campaigns targeting Android users in Egypt and Palestine, most probably operated by the Arid Viper APT group. Three of the campaigns are active, distributing Android spyware AridSpy via dedicated websites
https://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/
https://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/
Welivesecurity
Arid Viper poisons Android apps with AridSpy
ESET research has discovered Arid Viper espionage campaigns that deploy multistage Android spyware and target people in Egypt and Palestine.
๐15
Operation Celestial Force employs mobile and desktop malware to target Indian entities (GravityRAT, HeavyLift)
https://blog.talosintelligence.com/cosmic-leopard/
https://blog.talosintelligence.com/cosmic-leopard/
Cisco Talos Blog
Operation Celestial Force employs mobile and desktop malware to target Indian entities
Cisco Talos is disclosing a new malware campaign called โOperation Celestial Forceโ running since at least 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with a Windows-based malware loader we track as โHeavyLift.โ
โค16๐ฅ2๐1