The Russia-linked state-sponsored threat actor tracked as Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome, marking the first time the adversary has been discovered using mobile-only malware families in its attack campaigns.
"BoneSpy and PlainGnome target former Soviet states and focus on Russian-speaking victims," Lookout said in an analysis. "Both

Gamaredon Deploys Android Spyware "BoneSpy" and "PlainGnome" in Former Soviet States

A critical flaw in the company's rate limit for failed sign-in attempts allowed unauthorized access to a user account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.

Source: Fabio Principe via AdobeStock Photo

Researchers cracked a Microsoft Azure method for multifactor authentication (MFA) in about an hour, due to a critical vulnerability that allowed them unauthorized access to a user's account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.

Researchers at Oasis Security discovered the flaw, which was present due to a lack of rate limit for the amount of times someone could attempt to sign in with MFA and fail when trying to access an account, they revealed in a blog post on Dec. 11. The flaw exposed the more than 400 million paid Microsoft 365 seats to potential account takeover, they said.

When signing into a Microsoft account, a user supplies their email and password and then selects a pre-configured MFA method. In the case used by the researchers, they are given a code by Microsoft via another form of communication to facilitate sign-in.

The researchers achieved the bypass, which they dubbed "AuthQuake," by "rapidly creating new sessions and enumerating codes," Tal Hason, an Oasis research engineer, wrote in the post. This allowed them to demonstrate "a very high rate of attempts that would quickly exhaust the total number of options for a 6-digit code," which is 1 million, he explained.

"Simply put — one could execute many attempts simultaneously," Hason wrote. Moreover, during the multiple failed attempts to sign in, account owners did not receive any alert about the activity, "making this vulnerability and attack technique dangerously low profile," Hason wrote.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

Oasis informed Microsoft of the issue, which acknowledged its existence in June and fixed it permanently by Oct. 9, the researchers said. "While specific details of the changes are confidential, we can confirm that Microsoft introduced a much stricter rate limit that kicks in after a number of failed attempts; the strict limit lasts around half a day," Hason wrote.

**Ample Time to Guess MFA Code**

Another issue that allowed for the MFA bypass was that the available timeframe an attacker had to guess a single code was 2.5 minutes longer than the recommended timeframe for a time-based one-time password (TOTP) according to RFC-6238, the Internet Engineering Task Force (IETF) recommendation for implementing MFA authentication.

RFC-6238 recommends that a code expires after 30 seconds; however, most MFA applications provide a short grace period and allow these codes to be valid longer.

"This means that a single TOTP code may be valid for more than 30 seconds," Hason explained. "The Oasis Security Research team's testing with Microsoft sign-in showed a tolerance of around three minutes for a single code, extending 2.5 minutes past its expiry, allowing 6x more attempts to be sent."

Related:Chinese Cops Caught Using Android Spyware to Track Mobile Devices

This extra time meant that the researchers had a 3% chance of correctly guessing the code within the extended timeframe, Hason explained. A malicious actor trying to crack the code would have been likely to proceed and run further sessions until they hit a valid guess, which the researchers proceeded to do without encountering any limitations, he said.

After 24 sessions of trying to guess the code, which would take around 70 minutes, a malicious actor would already pass the 50% chance of hitting the valid code. In their research, the Oasis team attempted this method several times, and once even found they guessed the code early on in the process, exposing how quickly MFA could be bypassed.

**Best Practices for Safe MFA**

While MFA is still considered one of the most secure ways to protect passwords to online accounts, the research demonstrates that no system is completely attacker-proof. Oasis recommended that organizations continue to use either authenticator apps or strong passwordless methods for protecting user accounts from malicious attacks.

Related:Europol Cracks Down on Holiday DDoS Attacks

Other best practices include one that has long been recommended for years as part of basic password hygiene: users should change passwords to their online accounts frequently. Moreover, any organization using MFA to protect accounts should add a mail alert to notify users of failed MFA attempts, even if they don't notify them of every failed password sign-in attempt, Hason noted.

This latter advice also should be applied to any organization building MFA into a system or application, according to Oasis. MFA app designers also should ensure they include rate limits that don't allow for indefinite attempts to sign in, and lock an account after a certain time to limit successful MFA attacks or bypasses.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Researchers Crack Microsoft Azure MFA in an Hour

Hackers are constantly evolving, and so too should our security protocols.

Source: Brain light via Alamy Stock Photo

COMMENTARY

We witnessed some of the largest data breaches in recent history in 2024, with victims including industry titans like AT&T, Snowflake (and, therefore, Ticketmaster), and more. For US businesses, data breaches cost more than $9 million on average, and they cause lasting damage to customer and partner trust. 

Still, a resounding 98% of companies work with vendors that have had a breach. While business leaders have become more cautious in identifying vendors, they're integral to the growth of a business — providing critical goods, services, and technology to support ever-evolving business models and complex supply chains. 

These vendors may never be able to fully guarantee security and peace of mind, so security teams must regularly conduct due diligence measures to make more informed decisions and mitigate risks as much as possible. As businesses plan for the coming year, here are tips for ensuring your data, privacy, and information assets are secured and protected in 2025. 

**Proactive Security Reviews**

Vendors are essential, but relying on them without verifying their security practices is like playing with fire. Conducting regular security reviews will help your team mitigate potential risks before they turn into costly incidents. A security review is a comprehensive analysis of a vendor's ability to protect sensitive data, comply with industry regulations, and respond to potential breaches. Conducting a security review involves evaluating several key areas, such as data encryption, compliance with standards like the European Union's General Data Protection Regulation (GDPR) and the US Health Insurance Portability and Accountability Act (HIPAA), and incident response protocols.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

Ongoing audits and real-time monitoring track a vendor's changing security posture and detect emerging vulnerabilities. Continuous monitoring ensures compliance and proactive threat detection, preventing gaps in security oversight.

The SolarWinds breach, for example, could have been mitigated with better continuous monitoring, which would have detected the malicious software update earlier.

A practical approach is to implement quarterly security assessments for vendors that handle critical infrastructure. These assessments can identify evolving risks, ensuring that a one-time review doesn't leave blind spots in long-term vendor security. 

To streamline assessments, leverage automation tools, vulnerability scanners, and compliance platforms to hand off repetitive tasks, improve accuracy, and save time, ensuring comprehensive reviews without manual bottlenecks. Using AI-driven security tools reduces detection times for vulnerabilities, helping companies address issues faster.

Related:Chinese Cops Caught Using Android Spyware to Track Mobile Devices

Security reviews aren't a complete fail-safe, but they do equip businesses to choose vendors that align with their security postures. With consistent, proactive security reviews, businesses can reduce their risk of cyberattacks, breaches, and regulatory fines.

**Updates to Legacy Systems**

Legacy systems are inherently risky, as outdated software and hardware are not receiving regular security updates. Assess your legacy systems for vulnerabilities, and plan to invest in upgrades or replacements. If an immediate replacement isn't possible, isolate legacy systems from your shared networks and utilize segmentation to contain threats. 

**Advanced Security Measures **

Once you have a process for regular security reviews and risk assessments in place, and your tech stack is protected from vulnerabilities, implement advanced security measures like encryption and access controls to protect your data and your team's data. 

**Encryption Protocols**

Encryption is a fundamental security measure that protects data at rest and in transit. For data at rest, ensure you are encrypting sensitive information stored on servers, databases, and other storage devices using robust encryption algorithms such as AES-256. For data in transit, encrypting information transmitted over networks using protocols like Transport Layer Security (TLS) is crucial to prevent interception and eavesdropping.

Related:Europol Cracks Down on Holiday DDoS Attacks

**Access Control Systems**

Stringent access controls help to ensure that only authorized personnel can access sensitive information. Multifactor authentication (MFA) is required to access critical systems and data, adding an extra layer of security beyond just passwords.

Role-based access control (RBAC) assigns permissions based on roles within an organization, so that employees have access only to the information necessary for their job functions. Regularly review and update these permissions to reflect changes in roles and responsibilities.

Identifying and mitigating IT infrastructure vulnerabilities, conducting thorough risk assessments, and implementing advanced security measures are critical steps in preventing data breaches. Organizations can significantly enhance their security posture, protect sensitive information, and ensure compliance with regulatory requirements by focusing on these areas. As we look ahead to 2025, remember to remain vigilant and agile: Hackers are constantly evolving, and so too should our security protocols. 

**About the Author**

Founder & CEO, SecurityPal

Pukar C. Hamal is founder and CEO of SecurityPal, an San Francisco-based startup delivering customer assurance — a holistic security framework designed to accelerate enterprise transactions and innovation. Born in a rural village in Nepal and proficient in eight languages, Pukar understands that innovation and economic potential aren't limited to Western "tech hubs," which is why SecurityPal has offices worldwide, including in Kathmandu, Nepal. Pukar’s vision with SecurityPal is to accelerate business growth and innovation by simplifying and securing the customer journey. Trusted by the world's most innovative companies, including OpenAI, MongoDB, Airtable, and Figma, SecurityPal has helped organizations answer nearly 2 million security questions.

Tips for Preventing Breaches in 2025

Cybersecurity researchers have discovered a novel surveillance program that's suspected to be used by Chinese police departments as a lawful intercept tool to gather a wide range of information from mobile devices.
The Android tool, codenamed EagleMsgSpy by Lookout, has been operational since at least 2017, with artifacts uploaded to the VirusTotal malware scanning platform as recently as

Chinese EagleMsgSpy Spyware Found Exploiting Mobile Devices Since 2017

The Nemesis and ShinyHunters attackers scanned millions of IP addresses to find exploitable cloud-based flaws, though their operation ironically was discovered due to a cloud misconfiguration of their own doing.

Source: GK Images via Alamy Stock Photo

Cybercriminal gangs have exploited vulnerabilities in public websites to steal Amazon Web Services (AWS) cloud credentials and other data from thousands of organizations, in a mass cyber operation that involved scanning millions of sites for vulnerable endpoints.

Independent cybersecurity researchers Noam Rotem and Ran Locar of the loosely organized research group CyberCyber Labs uncovered the operation in August, and reported it to vpnMentor, which published a blog post on Dec. 9 about their findings. Attackers appear to be connected to known threat groups Nemesis and ShinyHunters, the latter of which is probably best known for a cloud breach earlier this year that stole data from half a million Ticketmaster customers.

“Both of these 'gangs' represent a technically sophisticated cybercriminal syndicate that operates at scale for profit and uses their technical skills to identify weaknesses in controls from enterprises migrating to cloud computing without fully understanding the complexity of services nor the controls offered in cloud computing," notes Jim Routh, chief trust officer at Saviynt, a cloud identity and security management firm.

Ironically, however, the researchers discovered the operation when the French-speaking attackers committed a cloud-based faux pas of their own — they stored some of the data harvested from the victims in an AWS Simple Storage Service (S3) bucket that contained 2TB of data and was left open due to a misconfiguration by its owner, according to the post.

Related:Attackers Can Use QR Codes to Bypass Browser Isolation

"The S3 bucket was being used as a 'shared drive' between the attack group members, based on the source code of the tools used by them," the vpnMentor research team wrote in the post.

Among the data stolen in the operation included infrastructure credentials, proprietary source code, application databases, and even credentials to additional external services. The bucket also included the code and software tools used to run the operation, as well thousands of keys and secrets lifted from victim networks, the researchers said.

**Two-Part Attack Sequence**

The researchers ultimately reconstructed a two-step attack sequence of discovery and exploitation. Attackers began with a series of scripts to scan vast ranges of IPs belonging to AWS, looking for "known application vulnerabilities as well as blatant mistakes," according to the vpnMentor team.

Attackers employed the IT search engine Shodan to perform a reverse lookup on the IP addresses, using a utility in their arsenal to get the domain names associated with each IP address that exists within the AWS ranges to expand their attack surface. In an effort to further extend the domains list, they also analyzed the SSL certificate served by each IP to extract the domain names associated with it.

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

After determining the targets, they began a scanning process, first to find exposed generic endpoints and then to categorize the system, such as Laravel, WordPress, etc. Once this was done, they would perform further tests, attempting to extract database access information, AWS customer keys and secrets, passwords, database credentials, Google and Facebook account credentials, crypto public and private keys (for CoinPayment, Binance, and BitcoinD), and more from product-specific endpoints.

"Each set of credentials was tested and verified in order to determine if it was active or not," according to the post. "They were also written to output files to be exploited at a later stage of the operation."

When exposed AWS customer credentials were found and verified, the attackers also tried to check for privileges on key AWS services, including: identity and access management (IAM), Simple Email Service (SES), Simple Notification Service (SNS), and S3.

**Cyberattacker Attribution & AWS Response**

Related:Pegasus Spyware Infections Proliferate Across iOS, Android Devices

The researchers tracked the perpetrators via tools used in the operation, which "appear to be the same" as those used by ShinyHunters. The tools are documented in French and signed by "Sezyo Kaizen," an alias associated with Sebastien Raoult, a ShinyHunters member who was arrested and pleaded guilty to criminal charges earlier this year.

The researchers also recovered a signature used by the operator of a Dark Web market called "Nemesis Blackmarket," which focuses on selling stolen access credentials and accounts used for spam.

The researchers, who work out of Israel, reported their findings to the Israeli Cyber Directorate in early September, and then notified AWS Security in a report sent on Sept. 26. The company immediately took steps to mitigate the impact and alert affected customers of the risk, according to vpnMentor.

Ultimately, the AWS team found that the operation targeted flaws present on the customer application side of the shared responsibility cloud model and did not reflect any fault of AWS, which the researchers said they "fully agree with." The AWS security team confirmed they completed their investigation and mitigation on Nov. 9 and gave the researchers the green light to disclose the incident.

**How to Secure the Cloud IT Footprint**

Some steps organizations can take to avoid a similar attack against their respective cloud environments include making sure hardcoded credentials are never present in their code or even in their filesystem, where they might be accessed by unauthorized parties.

Organizations also should conduct simple Web scans using open source tools like "dirsearch" or  "nikto," which are often used by lazy attackers to identify common vulnerabilities. This will allow them to find holes in their environment before a malicious actor does, the researchers noted.

A Web application firewall (WAF) also is a relatively low-cost solution to block malicious activity, and it's also worthwhile to "roll" keys, passwords, and other secrets periodically, they said. Organizations also can create CanaryTokens in their code in secret places, the researchers noted, which act as tripwires to alert administrators that an attacker may be poking around where they shouldn't be.

Routh says the incident also provides a learning opportunity for organizations which, when presented with new technology options, should adjust and design cyber controls to achieve resilience rather than go with conventional control methods.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cybercrime Gangs Abscond With Thousands of AWS Credentials

SUMMARY Zimperium’s zLabs has shared its latest research with Hackread.com, ahead of its publishing on December 10. According…

****SUMMARY****

*   **AppLite Trojan:** A new, stealthy banking trojan targeting Android devices, capable of stealing banking credentials, crypto wallets, and sensitive data.

*   **Phishing Campaign:** Delivered via fake job offer emails mimicking HR teams from reputable companies, tricking victims into downloading malware.

*   **Advanced Capabilities:** AppLite intercepts SMS, logs keystrokes, captures screenshots, and bypasses two-factor authentication.

*   **Evasion Tactics:** Employs obfuscation, dynamic behavior changes, and command-and-control updates to avoid detection.

*   **Safety Measures:** Avoid suspicious links, download apps only from trusted sources, and keep devices updated with strong security protocols.

Zimperium’s zLabs has shared its latest research with _Hackread.com_, ahead of its publishing on December 10. According to their research, millions of job seekers are unknowingly falling victim to a new wave of mobile-targeted phishing (mishing) campaign. Report author Vishnu Pratapagiri explained that cybercriminals are targeting individuals seeking new opportunities by sending fraudulent emails disguised as job offers from HR teams at well-known companies.

This highly sophisticated mobile phishing campaign involves distributing a new variant of the dangerous Antidot banking trojan. This new strain, dubbed AppLite by Zimperium researchers, targets unsuspecting victims through cleverly crafted job offer emails. 

Further probing reveals that AppLite is a particularly dangerous variant of the Antidot banking trojan. It’s designed to target mobile devices, primarily Android, and can steal sensitive information, including banking credentials and cryptocurrency wallet details.

For your information, in March 2024, Cyble researchers discovered an Android malware strain called “Antidot,” which disguised itself as a fake Google update and distributed through phishing campaigns, including SMSishing. Once installed, it stole sensitive banking information.

The attack begins with a well-crafted phishing email that mimics a job offer from a reputable company sent by the attackers posing as legitimate recruiters or HR representatives from the organization. Victims are tricked into visiting a legitimate job application page and downloading a seemingly harmless application, which acts as a dropper for the actual malware. 

The malicious email (left) – The phishing site used in the attack (Via Zimperium)

“In a subsequent communication, the threat actors direct victims to download a purported CRM Android application. While appearing legitimate, this application functions as a malicious dropper, facilitating the deployment of the primary payload onto the victim’s device,” researchers noted.

When this malicious app is installed, it secretly downloads and installs the AppLite trojan, which then requests extensive permissions, including Accessibility Services to get full control over the device.

AppLite’s capabilities are extensive. It can intercept SMS messages, log keystrokes, capture screenshots, and even control the device’s camera and microphone. It can also intercept two-factor authentication codes and steal sensitive information from banking and cryptocurrency apps.

Attack flow (Via Zimperium)

The malware’s developers have implemented several techniques to evade detection. It uses obfuscation techniques to hide its malicious code and can modify its behaviour to adapt to different security measures. Additionally, it leverages a command-and-control server to receive updates and instructions from the attackers.

To stay safe, it is crucial to stay cautious when downloading apps, especially from unknown sources. Be wary of unsolicited emails and messages, and avoid clicking on suspicious links or downloading attachments. Keep your device’s operating system and security software up-to-date, and enable strong password protection and two-factor authentication.

Hackers Target Job Seekers with AppLite Trojan Using Fake Job Emails

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?**

The user must install and use a specially-crafted malicious application on their Android device.

CVE-2024-49057: Microsoft Defender for Endpoint on Android Spoofing Vulnerability

Researchers demonstrate a proof-of-concept cyberattack vector that gets around remote, on-premises, and local versions of browser isolation security technology to send malicious communications from an attacker-controlled server.

Source: Sasin Paraska via Shutterstock

Security researchers have found a way to bypass three types of browser isolation, which would allow a cyberattacker to send malicious data to a remote device by using QR codes.

Researchers from Mandiant demonstrated a proof-of-concept (PoC) that gets around remote, on-premises, and local browser isolation by overriding HTTP request-based communication with machine-readable QR codes. In this way, the technique allows attackers to send commands from a command-and-control (C2) server to a victim's device.

Browser isolation is often used by organizations to fight phishing threats, protect a device from browser-delivered attacks, and deter typical C2 tactics used by attackers. The technique runs a browser in a secure environment — such as a cloud server or virtual machine — and then streams the visual content to the user's device.

When browser isolation is being used, the remote browser handles everything from page rendering to executing JavaScript, with only the visual appearance of the webpage sent back to the user's local browser.

As attackers generally send commands to and from a victim's device through HTTP requests, browser isolation makes it challenging for attackers to remotely control a device in the typical way. That's because the HTTP response returned to the local browser contains only the streaming engine to render the remote browser's visual page contents, "and only a stream of pixels is sent to the local browser to visually render the webpage," Mandiant principal security consultant Thibault Van Geluwe de Berlaere wrote in the post. "This prevents typical HTTP-based C2 because the local device cannot decode the HTTP response."

Related:Cybercrime Gangs Abscond With Thousands of AWS Credentials

**Bypassing Browser Isolation With QR Codes**

Mandiant researchers developed a PoC that demonstrates how to get around browser isolation using the Puppeteer JavaScript library and the Google Chrome browser in headless mode. However, any modern browser can be used to achieve the PoC, Van Geluwe de Berlaere noted.

Instead of returning the C2 data in the HTTP request headers or body, as a typical attacker-controlled attempt to send commands to a device might, the C2 server returns a valid webpage that visually shows a QR code. "The implant then uses a local headless browser … to render the page, grabs a screenshot, and reads the QR code to retrieve the embedded data," Van Geluwe de Berlaere wrote.

"By taking advantage of machine-readable QR codes, an attacker can send data from the attacker-controlled server to a malicious implant even when the webpage is rendered in a remote browser."

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

In the attack sequence, the malicious implant visually renders the webpage from the browser isolation's pixel streaming engine and decodes the command from the QR code displayed on the page. It then retrieves a valid HTML webpage from the C2 server with the command data encoded in a QR code visually shown on the page.

The remote browser then returns the pixel-streaming engine back to the local browser, starting a visual stream that shows the rendered page obtained from the C2 server. The implant waits for the page to fully render, then grabs a screenshot of the local browser that contains the QR code, which the malicious implant reads to execute the C2 command on the compromised device.

The implant then goes through the local browser again to navigate to a new URL that includes the command output encoded in a URL parameter. This parameter is passed through to the remote browser and ultimately to the C2 server, which decodes the command output as in traditional HTTP-based C2.

**Challenges to Implementing the Bypass**

Though the PoC demonstrates how attackers can get around browser isolation, there are some limitations and challenges to consider when using it, the researchers noted.

One is that it's not feasible to use the PoC with QR codes that have the maximum data size — i.e., 2,953 bytes, 177x177 grid, Error Correction Level "L" — as "the visual stream of the webpage rendered in the local browser was of insufficient quality to reliably read the QR code contents," Van Geluwe de Berlaere explained. Instead, the researchers used QR codes containing a maximum of 2,189 bytes of content.

Related:Pegasus Spyware Infections Proliferate Across iOS, Android Devices

Moreover, the requests take at least five seconds to reliably show and scan the QR code due to the processing involved when using Chrome in headless mode, as well as the time it takes for the remote browser to start up, page-rendering requirements, and the stream of visual content from the remote browser back to the local browser. "This introduces significant latency in the C2 channel," he wrote.

Finally, the PoC does not consider other security features of browser isolation, such as domain reputation, URL scanning, data-loss prevention, and request heuristics, which may need to be overcome if they are present in the browser-isolation environment on which it is being used.

Despite the success of the bypass, Mandiant still recommends browser isolation as a strong protection measure against client-side browser exploitation and phishing attacks. However, Van Geluwe de Berlaere wrote, it should be used as one part of "a well-rounded cyber defense posture" that also includes monitoring for anomalous network traffic and browser in automation mode to defend against Web-based attacks.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Can Use QR Codes to Bypass Browser Isolation

Vanir automates the process of scanning source code to identify missing security patches.

Source: Art of Food via Alamy Stock Photo

NEWS BRIEF

Security updates in the Android ecosystem is a complex, multistage affair, with each downstream manufacturer responsible for incorporating security fixes and deploying them to individual user devices. Manufacturers have diverse device portfolios with different models running different versions of the Android operating system and related software, which means they are responsible for multiple update versions. As it currently stands, updating Android devices is both time-consuming and labor-intensive.

Vanir, Google's latest open source security patch validation tool, speeds up the process of figuring out which security patches are missing from the platform by scanning custom platform code using static code analysis. By automating this process, OEMs can identify missing security updates much faster than current methods, according to an announcement on the Google Security Blog.

Vanir, which has a 97% accuracy rate, covers 95% of all Android, Wear, and Pixel vulnerabilities that already have public fixes, the company said. Inside Google, Vanir is part of the build system and tests against over 1,300 vulnerabilities, saving internal teams "over 500 hours to date in patch fix time," according to Google.

The tool does not rely on metadata, such as version numbers, repository history, or build configurations, to identify which updates are missing. Instead, Vanir uses automatic signature refinement techniques and multiple pattern analysis algorithms. Google said these algorithms have low false-alarm rates, noting that in two years of testing Vanir, only 2.72% of signatures triggered false alarms.

"This allows Vanir to efficiently find missing patches, even with code changes, while minimizing unnecessary alerts and manual review efforts," the company said.

A single engineer used Vanir to generate signatures for over 150 vulnerabilities and verify missing security patches across downstream branches in just five days, Google noted.

While Vanir was originally introduced at Android Bootcamp back in April and is designed for Android, the tool can be adapted to other ecosystems and platforms with small modifications. Vanir can be used as a standalone application as well as a Python library. Users can integrate Vanir with their continuous builds or test chains by wiring the tool with Vanir scanner libraries.

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Google Launches Open Source Patch Validation Tool

DroidBot, a sophisticated Android RAT, is targeting individuals and financial institutions across Europe.

****KEY POINTS****

*   **DroidBot Discovery**: A new Android spyware, DroidBot, was identified in mid-2024, operating as Malware-as-a-Service (MaaS).

*   **Targets and Tactics**: It targets financial institutions and users by disguising itself as security or banking apps and exploiting Android Accessibility Services.

*   **Capabilities**: DroidBot can intercept messages, log keystrokes, capture screenshots, and remotely control devices.

*   **Affiliate Network**: Used by 17 affiliate groups, it has attacked 77 targets across Europe, with expansion likely.

*   **Prevention Tips**: Avoid unknown apps, update devices, and use reliable antivirus tools.

A recent discovery by Cleafy Labs has shed light on a new Android spyware threat dubbed DroidBot, identified in mid-2024 and operates on the MaaS (Malware-as-a-Service) operation model.

Similar to the legitimate Software-as-a-Service (SaaS) model, malware developers rent access to the malware in the MaaS model, making it easier for cybercriminals to launch attacks without requiring advanced technical expertise.

Spyware advert on a Russian forum (Credit: Cleafy Labs)

According to Cleafy Labs’ investigation, DroidBot is a sophisticated Android Remote Access Trojan (RAT) targeting financial institutions and individuals across Europe. This spyware is believed to have been developed by a Turkish-speaking group and leverages advanced techniques to steal sensitive information and control infected devices.

Research revealed that DroidBot is designed to target a wide range of victims, including banking customers, cryptocurrency exchange users, and government employees. It employs various tactics to compromise devices, such as disguising itself “as generic security applications, Google services, or popular banking apps,” and exploiting the Android Accessibility Services for its malicious activities.

After infecting your device, DroidBot can intercept SMS messages, log keystrokes, and capture screenshots of the device’s screen. It can also remotely control the device, allowing attackers to make calls, send messages, and access sensitive data.

This spyware offers a combination of hidden VNC and overlay capabilities with spyware-like features. It includes a keylogger and monitoring routines, enabling user interception, making it a potent tool for surveillance and credential theft.

Additionally, DroidBot’s dual-channel communication mechanism allows for outbound data transmission using the MQTT protocol, which was also used by Copybara and BRATA/AmexTroll banking trojans, and inbound commands over HTTPS, enhancing its operational flexibility and resilience.

The most concerning aspect of DroidBot is that it operates on the MaaS model with 17 distinct affiliate groups identified each using a unique identifier. This allows cybercriminals to rent access to the malware, making it easier for them to launch attacks without requiring advanced technical expertise.

“At the time of analysis, 77 distinct targets have been identified, including banking institutions, cryptocurrency exchanges, and national organisations, underscoring its potential for widespread impact,” researchers noted in the blog post.

DroidBot is currently in active development, with some functions like root checks being placeholders and features varying between samples. Despite these inconsistencies, the malware has demonstrated potential, targeting users in the UK, Italy, France, Spain, Turkey, and Portugal, and a probable expansion into Latin American regions.

“Within the code, we can see that this information is customised for 4 main languages: **English**, **Italian**, **Spanish**, and **Turkish**,” Cleafy Labs revealed.

To protect yourself from DroidBot and similar threats, be cautious when downloading apps from unknown sources, keep your devices updated with the latest security patches and use reliable antivirus software.

1.  **First Mobile Crypto Drainer on Google Play Steals $70K**
2.  **Spyware Found in Google Play Store Apps, 2m Downloads**
3.  **Google Removes Swing VPN App Exposed as DDoS Botnet**
4.  **Malware infected Minecraft modpacks hit Google Play Store**
5.  **These 8 Apps on Play Store Contain Android/FakeApp Trojan**
6.  **35 malicious apps found on Google Play, installed by 2m users**

Tag

#android