Frida JDWP Loader
This tool dynamically attaches Frida to any debuggable Android process over JDWP, enabling runtime instrumentation without root access.
Perfect for dynamic app analysis, quick pentesting, bug bounty
https://github.com/frankheat/frida-jdwp-loader Video demo: https://x.com/androidmalware2/status/1986022672472359017
This tool dynamically attaches Frida to any debuggable Android process over JDWP, enabling runtime instrumentation without root access.
Perfect for dynamic app analysis, quick pentesting, bug bounty
https://github.com/frankheat/frida-jdwp-loader Video demo: https://x.com/androidmalware2/status/1986022672472359017
โค12๐5๐ฅ3
Analysis of recent Android NGate malware campaign (NFC relay) in Poland
https://cert.pl/en/posts/2025/11/analiza-ngate/
Demo: https://x.com/androidmalware2/status/1986406590866727047
https://cert.pl/en/posts/2025/11/analiza-ngate/
Demo: https://x.com/androidmalware2/status/1986406590866727047
cert.pl
Analysis of NGate malware campaign (NFC relay)
CERT Polska has observed new samples of mobile malware in recent months associated with an NFC Relay (NGate) attack targeting users of Polish banks.
๐9โค6๐2
Android Stalkerware Detection Test
https://www.eff.org/deeplinks/2025/11/eff-teams-av-comparatives-test-android-stalkerware-detection-major-antivirus-apps
https://www.eff.org/deeplinks/2025/11/eff-teams-av-comparatives-test-android-stalkerware-detection-major-antivirus-apps
๐8
Fantasy Hub: Analysis of Russian Based Android RAT as M-a-a-S
https://zimperium.com/blog/fantasy-hub-another-russian-based-rat-as-m-a-a-s
https://zimperium.com/blog/fantasy-hub-another-russian-based-rat-as-m-a-a-s
Zimperium
Fantasy Hub: Another Russian Based RAT as M-a-a-S
true
๐8
LANDFALL: New Android commercial-grade spyware targeted Samsung Galaxy devices via a WhatsApp zero-click exploit in image parsing (CVE-2025-21042)
https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/
https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/
๐ฅ20๐3๐3โค1
Runtime Android Object Instrumentation
https://knifecoat.com/Posts/Runtime+Android+Object+Instrumentation
https://knifecoat.com/Posts/Runtime+Android+Object+Instrumentation
KnifeCoat
Runtime Android Object Instrumentation - KnifeCoat
Intro This year I have been doing quite a bit Android userland analysis. Android is a wonderful platform to work on, great decompiler support (JEB), easy access to rooted devices (unless you buy NA lโฆ
๐6
The North Korean state-sponsored KONNI APT group is now using remote wipe tactics to erase Android devices through compromised victim computer
https://www.genians.co.kr/en/blog/threat_intelligence/android
https://www.genians.co.kr/en/blog/threat_intelligence/android
www.genians.co.kr
State-Sponsored Remote Wipe Tactics Targeting Android Devices
The Konni APT campaign has caused damage by remotely resetting Google Android-based devices, resulting in the unauthorized deletion of personal data.
๐8โค4๐3
North Korean APT actors exploited ZipperDown vulnerability in Android apps via malicious emails.
One click โ overwrite app library โ full control.
https://ti.qianxin.com/blog/articles/operation-south-star-en/
One click โ overwrite app library โ full control.
https://ti.qianxin.com/blog/articles/operation-south-star-en/
Qianxin
ๅฅๅฎไฟกๅจ่ๆ
ๆฅไธญๅฟ
Nuxt.js project
๐6
First-ever interview with one of Kali NetHunter developers @yesimxev is live!
We "sat down" and talked about:
His hacking journey.
What are the best smartphone for running NetHunter.
Two newly supported devices revealed.
A sneak peek into his brand-new podcast and more.
https://www.mobile-hacker.com/2025/11/11/inside-the-mind-of-a-kali-nethunter-developer-a-deep-dive-with-yesimxev/
We "sat down" and talked about:
His hacking journey.
What are the best smartphone for running NetHunter.
Two newly supported devices revealed.
A sneak peek into his brand-new podcast and more.
https://www.mobile-hacker.com/2025/11/11/inside-the-mind-of-a-kali-nethunter-developer-a-deep-dive-with-yesimxev/
๐6โค4
Flutter SSL Bypass: How to Intercept HTTPS Traffic When all other Frida Scripts Fail
https://m4kr0x.medium.com/flutter-tls-bypass-how-to-intercept-https-traffic-when-all-other-frida-scripts-fail-bd3d04489088
https://m4kr0x.medium.com/flutter-tls-bypass-how-to-intercept-https-traffic-when-all-other-frida-scripts-fail-bd3d04489088
Medium
Flutter SSL Bypass: How to Intercept HTTPS Traffic When all other Frida Scripts Fail
In this article, Iโll walk you through my journey in intercepting HTTPS traffic from a APK based on Flutter during a pentesting engagementโฆ
๐15๐ฅ6โค3๐3
GPT Trade: Fake Google Play Store drops BTMob Spyware and UASecurity Miner on Android Devices
https://www.d3lab.net/gpt-trade-fake-google-play-store-drops-btmob-spyware-and-uasecurity-miner-on-android-devices/
https://www.d3lab.net/gpt-trade-fake-google-play-store-drops-btmob-spyware-and-uasecurity-miner-on-android-devices/
D3Lab
GPT Trade: Fake Google Play Store drops BTMob Spyware and UASecurity Miner on Android Devices
A recently discovered Android campaign leverages a fake Google Play Store to distribute GPT Trade, a malicious dropper posing as a ChatGPT-themed trading app. Once installed, the dropper silently generates and deploys two additional malware familiesโBTMobโฆ
โค12๐4๐ฉ1๐ฅด1๐1
One of top-selling digital picture frames from Amazonโs between March and April 2025 comes:
-rooted by default
-runs Android 6
-SELinux security module disabled
-downloads and executes malicious payloads from China-based servers at boot
-17 security issues discovered
report: https://go.quokka.io/hubfs/App-Intel/Technical_Uhale-Digital-Picture-Frame-Security-Assessment.pdf
-rooted by default
-runs Android 6
-SELinux security module disabled
-downloads and executes malicious payloads from China-based servers at boot
-17 security issues discovered
report: https://go.quokka.io/hubfs/App-Intel/Technical_Uhale-Digital-Picture-Frame-Security-Assessment.pdf
๐18๐8๐คฏ3๐2
A Simple WhatsApp Security Flaw Exposed 3.5 Billion Phone Numbers
https://github.com/sbaresearch/whatsapp-census
https://github.com/sbaresearch/whatsapp-census
๐คฏ16๐ฅ9๐ฅฑ4๐2
Sturnus: Mobile Banking Malware bypassing WhatsApp, Telegram and Signal Encryption
https://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal
https://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal
ThreatFabric
Sturnus: Mobile Banking Malware bypassing WhatsApp, Telegram and Signal Encryption
Sturnus is a privately operated Android banking trojan with many fraud-related capabilities, including Device Takeover and capturing decrypted messages.
๐8๐6๐ฅฑ2
The Phia app for iOS injects JavaScript and still collects almost every URL you visit with their Safari extension. Safari extensions even with Appleโs restrictions
https://gist.github.com/dweinstein/4d827f787ba65b5d0fd05cc9814883c4
https://gist.github.com/dweinstein/4d827f787ba65b5d0fd05cc9814883c4
Gist
phia ios app analysis (living document)
phia ios app analysis (living document). GitHub Gist: instantly share code, notes, and snippets.
๐8๐คฏ1๐คฃ1
WhatsApp by the Numbers
I dived into anonymized metadata published after a #WhatsApp security issue that exposed 3.5B phone numbers
-Android rules (81%)
-iOS dominates in rich markets
-Monaco = multi-account heaven
-China is niche but enterprise-heavy
https://www.mobile-hacker.com/2025/11/20/whatsapp-by-the-numbers-what-anonymized-metadata-from-a-security-flaw-reveals/
I dived into anonymized metadata published after a #WhatsApp security issue that exposed 3.5B phone numbers
-Android rules (81%)
-iOS dominates in rich markets
-Monaco = multi-account heaven
-China is niche but enterprise-heavy
https://www.mobile-hacker.com/2025/11/20/whatsapp-by-the-numbers-what-anonymized-metadata-from-a-security-flaw-reveals/
Mobile Hacker
WhatsApp by the Numbers: What Anonymized Metadata from a Security Flaw Reveals
The dataset originates from metadata published in connection with a security study titled โTrivial WhatsApp Security Issue Exposed 3.5 Billion Phone Numbers.โ That research demonstrated how a simple flaw could reveal phone numbers globally.
โค10๐4๐คฎ3๐ฅ2
How deep links in mobile apps can be exploited for Remote Code Execution (RCE)
https://medium.com/meetcyber/exploiting-deep-links-for-rce-in-mobile-applications-6806c330c00b
https://medium.com/meetcyber/exploiting-deep-links-for-rce-in-mobile-applications-6806c330c00b
Medium
Exploiting Deep Links for RCE in Mobile Applications
In this blog, we will see how we can exploit a deeplink to achieve an RCE
โค8๐2๐1
Proof-of-concept exploit showing how itunesstored & bookassetd daemons can be abused to escape iOS sandbox restrictions
https://hanakim3945.github.io/posts/download28_sbx_escape/
https://hanakim3945.github.io/posts/download28_sbx_escape/
Hana's Blog
itunesstored & bookassetd sbx escape - Hana's Blog
POC writeup to exploit sandbox escape in itunesstored & bookassetd
๐5๐2
GhostAd: Hidden Google Play Adware Drains Devices and Disrupts Millions of Users
https://blog.checkpoint.com/research/ghostad-hidden-google-play-adware-drains-devices-and-disrupts-millions-of-users/
https://blog.checkpoint.com/research/ghostad-hidden-google-play-adware-drains-devices-and-disrupts-millions-of-users/
Check Point Blog
GhostAd: Hidden Google Play Adware Drains Devices and Disrupts Millions of Users - Check Point Blog
Check Point researchers uncover a large-scale Android adware campaign that silently drains resources and disrupts normal phone use through persistent
RadzaRat: New Android Trojan Disguised as File Manager Emerges with Zero Detection Rate
https://www.certosoftware.com/insights/radzarat-new-android-trojan-disguised-as-file-manager-emerges-with-zero-detection-rate/
https://www.certosoftware.com/insights/radzarat-new-android-trojan-disguised-as-file-manager-emerges-with-zero-detection-rate/
Certo Software | iPhone & Android Spyware Detection
RadzaRat: New Android Trojan Disguised as File Manager Emerges with Zero Detection Rate
The Android malware-as-a-service (MaaS) ecosystem continues to evolve with increasingly sophisticated threats designed to evade security measures while maintaining operational simplicity for would-be attackers.
๐2๐จโ๐ป1