Operation NoVoice: Rootkit Tells No Tales (link to Android Triada family)
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/
McAfee Blog
Operation NoVoice: Rootkit Tells No Tales | McAfee Blog
Authored By: Ahmad Zubair Zahid McAfeeโs mobile research team identified and investigated an Android rootkit campaign tracked as Operation Novoice. The
โก9
Analysis of cifrat: could this be an evolution of a mobile RAT?
https://cert.pl/en/posts/2026/04/cifrat-analysis/
https://cert.pl/en/posts/2026/04/cifrat-analysis/
cert.pl
Analysis of cifrat: could this be an evolution of a mobile RAT?
CERT Polska analyzed a Booking themed Android malware chain delivered through phishing and a fake update website. The sample is a multistage dropper that installs a hidden accessibility controlled RAT with WebSocket C2.
๐11
PoC of DarkSword iOS exploit tested on iOS 17.1.1 - 26.0.1
https://github.com/rooootdev/lara
https://github.com/rooootdev/lara
GitHub
GitHub - rooootdev/lara: WIP darksword kexploit implement
WIP darksword kexploit implement. Contribute to rooootdev/lara development by creating an account on GitHub.
โค7๐4๐ฉ1
Canis C2 Exposed: Previously Undocumented Cross-Platform Surveillance Framework Targeting Japan pivoting from Android sample
https://hunt.io/blog/canis-c2-exposed-cross-platform-surveillance-framework-japan
https://hunt.io/blog/canis-c2-exposed-cross-platform-surveillance-framework-japan
hunt.io
Canis C2 Exposed: Previously Undocumented Cross-Platform Surveillance Framework Targeting Japan
An exposed API on a Japanese phishing server revealed Canis C2, a previously undocumented surveillance framework targeting Android, iOS, Windows, Linux, and macOS.
โค10๐2
Hack-For-Hire Operation Linked to BITTER APT (Android ProSpy spyware)
https://www.lookout.com/threat-intelligence/article/bitter-hack-for-hire
https://www.lookout.com/threat-intelligence/article/bitter-hack-for-hire
Lookout
Beyond BITTER: MENA Civil Society Targeted in Hack-For-Hire Operation Linke | Threat Intel
๐7
Intent redirection vulnerability in third-party EngageLab SDK exposed millions of Android wallets to potential risk
https://www.microsoft.com/en-us/security/blog/2026/04/09/intent-redirection-vulnerability-third-party-sdk-android/
https://www.microsoft.com/en-us/security/blog/2026/04/09/intent-redirection-vulnerability-third-party-sdk-android/
Microsoft News
Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk
A severe Android intentโredirection vulnerability in a widely deployed SDK exposed sensitive user data across millions of apps. Microsoft researchers detail how the flaw works, why it matters, and how developers can mitigate similar risks by updating affectedโฆ
๐8โค4
Mirax: a new Android RAT turning infected devices into potential residential proxy nodes
https://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes
https://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes
Cleafy
Mirax: a new Android RAT turning infected devices into potential residential proxy nodes
Mirax, a new Android RAT and banking malware operating as a private MaaS is actively targeting Spanish-speaking countries via Meta ad campaigns.
๐15โค4
Giving an Agent a Rooted Android Phone
https://workers.io/blog/autonomous-mobile-pentesting/
https://workers.io/blog/autonomous-mobile-pentesting/
Workers IO
Giving an Agent a Rooted Android Phone
So what actually happens if you hand an AI agent root access to an Android phone, plus a runtime hooking framework? In this case, it went straight to reverse-engineering Subway Surfers and figured out how to rack up unlimited coins.
โค14๐3๐พ1
Pre-installed C2 Infrastructure and RAT Payload on Android Projectors
https://github.com/Kavan00/Android-Projector-C2-Malware
https://github.com/Kavan00/Android-Projector-C2-Malware
GitHub
GitHub - Kavan00/Android-Projector-C2-Malware: Breakdown of a c2-network of chinese beamers - SilentSDK-Analysis
Breakdown of a c2-network of chinese beamers - SilentSDK-Analysis - Kavan00/Android-Projector-C2-Malware
๐10โค3๐1
Reversing XAMARIN Mobile Applications
https://mrbypass.medium.com/reversing-xamarin-mobile-applications-3910a857444d
https://mrbypass.medium.com/reversing-xamarin-mobile-applications-3910a857444d
Medium
๐ Reversing XAMARIN Mobile Applications
๐ฑ What is XAMARIN?
๐10
MalFixer: toolkit for inspecting and recovering malformed Android APK files (repairs corrupted ZIP entries, decodes and reconstructs malformed Android manifests, and extracts or sanitises problematic asset files)
https://github.com/Cleafy/Malfixer
https://github.com/Cleafy/Malfixer
GitHub
GitHub - Cleafy/Malfixer: MalFixer is a comprehensive toolkit for inspecting and recovering malformed Android APK files
MalFixer is a comprehensive toolkit for inspecting and recovering malformed Android APK files - Cleafy/Malfixer
โค17๐คฃ4โก1
Android Bankers: 4 Campaigns In A Row
https://zimperium.com/blog/android-bankers-4-campaigns-in-a-row
https://zimperium.com/blog/android-bankers-4-campaigns-in-a-row
Zimperium
Android Bankers: 4 Campaigns In A Row
true
โค9๐1
Lorikazz: An Android TV and STB botnet using Tor .onion C2, ENS resolution, and bundled ELF payloads disguised as system libraries to hijack set-top boxes for proxyware operations
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-04-13-LORIKAZZ-ANDROID-IOT.txt
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-04-13-LORIKAZZ-ANDROID-IOT.txt
GitHub
Unit42-timely-threat-intel/2026-04-13-LORIKAZZ-ANDROID-IOT.txt at main ยท PaloAltoNetworks/Unit42-timely-threat-intel
A collection of files with indicators supporting social media posts from Palo Alto Network's Unit 42 team to disseminate timely threat intelligence. - PaloAltoNetworks/Unit42-timely-threat-intel
โค9๐4
MiningDropper โ A Global Modular Android Malware Campaign Operating at Scale
https://cyble.com/blog/miningdropper-global-modular-android-malware/
https://cyble.com/blog/miningdropper-global-modular-android-malware/
Cyble
MiningDropper: A Global Android Malware Campaign
Cyble analyzes a surge in an ongoing campaign to deliver MiningDropper โ a modular Android malware framework - at scale.
๐9โค2
FakeWallet crypto stealer spreading through iOS apps in the App Store
https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/
https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/
โค11๐3
New NGate variant hides in a trojanized NFC payment app
https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/
https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/
Welivesecurity
New NGate variant hides in a trojanized NFC payment app
ESET researchers discover another iteration of NGate malware, this time possibly developed with the assistance of AI.
๐ฑ10โค3๐1
Bad Connection: Uncovering how global mobile networks themselves have become surveillance infrastructure to spy on location of targets
https://citizenlab.ca/research/uncovering-global-telecom-exploitation-by-covert-surveillance-actors/
https://citizenlab.ca/research/uncovering-global-telecom-exploitation-by-covert-surveillance-actors/
The Citizen Lab
The Citizen Lab Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors
Our investigation uncovers two sophisticated telecom surveillance campaigns and, for the first time, links real-world attack traffic to mobile operator signalling infrastructure. The findings expose how suspected commercial surveillance vendors (CSVs) exploitโฆ
โค6๐4๐3
Morpheus: A new Spyware linked to IPS Intelligence
https://osservatorionessuno.org/blog/2026/04/morpheus-a-new-spyware-linked-to-ips-intelligence/
https://osservatorionessuno.org/blog/2026/04/morpheus-a-new-spyware-linked-to-ips-intelligence/
osservatorionessuno.org
Osservatorio Nessuno
Morpheus: A new Spyware linked to IPS Intelligence
โค9๐5
KYCShadow: An Android Banking Malware Exploiting Fake KYC Workflows for Credential and OTP Theft
https://www.cyfirma.com/research/kycshadow-an-android-banking-malware-exploiting-fake-kyc-workflows-for-credential-and-otp-theft/
https://www.cyfirma.com/research/kycshadow-an-android-banking-malware-exploiting-fake-kyc-workflows-for-credential-and-otp-theft/
CYFIRMA
KYCShadow: An Android Banking Malware Exploiting Fake KYC Workflows for Credential and OTP Theft - CYFIRMA
Executive Summary This report presents an analysis of an Android malware masquerading as a bank KYC verification application, distributed via...
๐5
apk-info: APK full-featured parser
https://github.com/delvinru/apk-info
https://github.com/delvinru/apk-info
GitHub
GitHub - delvinru/apk-info: APK full-featured parser
APK full-featured parser. Contribute to delvinru/apk-info development by creating an account on GitHub.
โค18๐ฉ4๐ฅ2๐คฎ2๐คก1๐1๐1
This media is not supported in your browser
VIEW IN TELEGRAM
A Five- Bug Chain to Arbitrary APK Install on Samsung S25
https://bugscale.ch/blog/here-we-go-again-a-five-bug-chain-to-arbitrary-apk-install-on-samsung-s25/
https://bugscale.ch/blog/here-we-go-again-a-five-bug-chain-to-arbitrary-apk-install-on-samsung-s25/
โค12๐ฅ5๐4