DroidLock: Malware Built for Extortion, Device Takeover, and Insider Threat Risk in Spain
https://www.technadu.com/droidlock-malware-build-for-extortion-device-takeover-and-insider-threat-risk-in-spain/615553/

DroidLock is an Android malware campaign using phishing sites and Accessibility abuse to enable full device takeover. Capabilities include PIN changes, full wipes, screen recording, camera capture, and credential theft via dual overlay screens.

BYOD devices pose additional insider-risk implications due to accessible MFA codes and internal accounts.

Which detection controls do you consider most effective against Android Accessibility-abusing malware?

#CyberSecurity #AndroidMalware #DroidLock #MobileSecurity #ThreatIntel #Spain #TechNadu

How Hackers Read Your Signal, WhatsApp & Telegram Messages

https://techlore.tv/w/ckXp7Sj2sxqgL17mgjQgsP

⚠️ Surge in #NFC relay malware on Android
➡️ 760+ malicious apps abusing Host Card Emulation (HCE)
➡️ Masquerading as banks like Santander, VTB & Tinkoff
➡️ Stealing EMV payment data via Telegram C2 networks

Researchers warn - this new class of “tap-and-steal” malware is spreading fast.

💬 Thoughts on mitigating NFC misuse in production Android environments?
Follow @technadu for expert #infosec &
#mobilethreat updates.

#CyberSecurity #MobileSecurity #NFCSecurity #AndroidMalware #PaymentFraud #HCE #ThreatIntel #Zimperium #CyberThreats #FinTechSecurity

Alright team, it's been a pretty packed 24 hours in the cyber world! We've got updates on nation-state breaches, some nasty new malware, critical vulnerabilities under active exploitation, and some significant discussions around AI and data privacy. Let's dive in:

F5 Nation-State Breach Update 🛡️
- F5 has provided an update on the nation-state attack disclosed on 15 October, confirming the attacker had prolonged access to their systems.
- The incident led to emergency updates for BIG-IP software/hardware and the theft of some customer configuration data and 44 undisclosed vulnerabilities.
- F5 claims the impact on customers was "limited" and the exfiltrated data "not sensitive," while also boosting security with CrowdStrike EDR for BIG-IP and an enhanced bug bounty program.
🤫 CyberScoop | https://cyberscoop.com/f5-attack-limited-impact-earnings-call/

Gmail "Breach" Reports Debunked 📧
- Reports circulating about a "massive Gmail breach" affecting 183 million accounts have been clarified as false by Google.
- The confusion stemmed from a misunderstanding of aggregated infostealer logs, which contain old, recycled credentials, not evidence of a new Gmail intrusion.
- Google reiterates its strong defences and active monitoring, prompting password resets for affected users when old credentials resurface.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/28/gmail_breach_fake_news/

SideWinder APT Evolves Attack Chain 🐍
- The SideWinder APT group is targeting South Asian diplomats with a new infection chain using malicious PDFs and ClickOnce applications.
- Spear-phishing emails deliver malware like ModuleInstaller and StealerBot, designed for extensive data collection including screenshots, keystrokes, and passwords.
- Attackers employ sophisticated evasion techniques, including legitimate signed executables, region-locked C2 communications, and dynamic payload paths.
👾 The Hacker News | https://thehackernews.com/2025/10/sidewinder-adopts-new-clickonce-based.html

BlueNoroff's GhostCall & GhostHire Campaigns 👻
- North Korean-linked BlueNoroff (Lazarus Group sub-cluster) is actively targeting Web3 and blockchain sectors with new campaigns: GhostCall and GhostHire.
- GhostCall uses fake Zoom/Microsoft Teams calls to deploy macOS malware, while GhostHire lures Web3 developers with booby-trapped GitHub job assessment projects.
- These campaigns deploy a range of sophisticated malware (e.g., DownTroy, CosmicDoor, RooTroy) to harvest credentials and sensitive data from development environments, cloud platforms (AWS, Google Cloud, Azure), and communication tools, with generative AI reportedly accelerating malware development.
👾 The Hacker News | https://thehackernews.com/2025/10/researchers-expose-ghostcall-and.html

Herodotus Android Malware Mimics Humans 🤖
- A new Android banking trojan, Herodotus, has been discovered, capable of full device control to steal from banking and crypto apps.
- Its unique evasion technique involves mimicking human typing with random pauses when inputting stolen credentials or transaction details, making automated detection harder.
- Observed in active campaigns in Italy and Brazil, disguising itself as legitimate banking security apps, highlighting the need for advanced fraud controls beyond simple keystroke analysis.
🗞️ The Record | https://therecord.media/android-malware-mimics-humans-avoid-detection

WSUS RCE Under Active Exploitation 🚨
- A critical RCE vulnerability, CVE-2025-59287, in Windows Server Update Services (WSUS) is under active exploitation by a new threat actor, UNC6512.
- This unauthenticated deserialization flaw affects Windows Server 2012-2025, allowing arbitrary code execution on exposed WSUS instances.
- Microsoft's initial patch was incomplete, leading to emergency updates, and telemetry shows widespread exploitation attempts, with attackers focusing on initial access and internal reconnaissance.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/27/microsoft_wsus_attacks_multiple_orgs/

AI Browsers Vulnerable to Prompt Injection 🧠
- New AI browsers like OpenAI's Atlas, Comet, and Fellou are highly susceptible to prompt injection, both direct and indirect, and cross-site request forgery.
- Attackers can manipulate web content (e.g., hidden text, malicious URLs) to inject commands, leading to data exfiltration, malicious actions (like deleting files), or poisoning the AI's memory.
- Security experts consider prompt injection an "unsolved security problem" inherent to LLMs, urging vendors to implement low privileges, human consent, vetted sources, and robust output controls.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/28/ai_browsers_prompt_injection/
🤫 CyberScoop | https://cyberscoop.com/openai-atlas-splx-research-cloaking-attacks-browser-agents/

Chatbots Parrot Russian Propaganda 🇷🇺
- A study by the Institute for Strategic Dialogue (ISD) found popular chatbots (ChatGPT, Gemini, Grok, DeepSeek) cited Russian state-attributed sources in up to 25% of answers about the Ukraine war.
- This "LLM grooming" technique involves miscreants laundering state media talking points online to influence AI models, with biased or malicious prompts increasing the likelihood of pro-Kremlin content.
- Google's Gemini performed best by implementing safety guardrails, but the findings raise serious concerns about AI's role in disinformation and the enforceability of sanctions on state-backed media.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/28/chatbots_still_parrot_russian_state/

Human Cost of MoD Afghan Data Breach 💔
- New research submitted to the UK Parliament reveals the devastating human toll of the Ministry of Defence's 2022 Afghan relocation scheme data breach.
- The leak directly led to threats, violent assaults, and even the deaths of family members and colleagues for 49 of the 231 affected individuals, with 87% reporting other personal risks.
- The report highlights severe mental health impacts and calls for urgent government action, including expedited relocations and redress for all affected Afghans.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/28/impact_afghan_data_breach/

Clearview AI Faces Criminal Charges in EU ⚖️
- Privacy advocacy group Noyb has filed a criminal complaint against Clearview AI in Austria for repeatedly ignoring over $100 million in EU GDPR fines.
- Clearview AI's practice of scraping social media images for facial recognition without consent has been deemed illegal across Europe, but the company has largely evaded enforcement.
- The complaint leverages Article 84 of GDPR, which allows criminal proceedings against managers of organisations flouting data protection laws, aiming to set a precedent for cross-border enforcement.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/28/noyb_criminal_charges_clearview/

US Declines UN Cybercrime Treaty 🌐
- The United States notably declined to sign the landmark UN Convention against Cybercrime, which was signed by over 70 countries including the UK, EU, China, and Russia.
- The treaty aims to create a global mechanism for coordinating against digital crime, facilitating electronic evidence sharing, and criminalising internet-dependent offenses.
- The US State Department is "reviewing" the treaty, which has faced criticism from the tech industry and human rights groups over concerns it could criminalise cybersecurity research and enable broad surveillance by authoritarian regimes.
🗞️ The Record | https://therecord.media/us-declines-signing-cybercrime-treaty

NYPD Surveillance System Lawsuit 👁️
- The Surveillance Technology Oversight Project (STOP) is suing the NYPD, alleging its Domain Awareness System (DAS) is unconstitutional.
- DAS, a partnership with Microsoft since 2012, integrates citywide cameras, biometrics, digital communication monitors, and data analytics to track and profile New Yorkers.
- The lawsuit argues DAS violates constitutional rights to freedom of speech and protection from unreasonable searches, with newly obtained records showing its extensive data aggregation capabilities accessible to all NYPD officers.
🗞️ The Record | https://therecord.media/nypd-domain-awareness-system-civil-rights-lawsuit

#CyberSecurity #ThreatIntelligence #Vulnerabilities #RCE #WSUS #APT #SideWinder #BlueNoroff #Malware #AndroidMalware #PromptInjection #AIDisinformation #DataPrivacy #GDPR #CybercrimeTreaty #Surveillance #InfoSec #IncidentResponse

Your smartphone might soon be acting on its own. Herodotus Android malware is learning your every tap to outsmart security. How safe is your mobile life?

https://thedefendopsdiaries.com/herodotus-android-malware-the-next-evolution-in-cyber-deception/

#androidmalware
#cyberdeception
#mobilethreats
#aiincybersecurity
#malwareevasion

🚨 Android Spyware Alert: ProSpy & ToSpy
ESET has discovered Android spyware campaigns targeting Signal and ToTok users.

These malicious apps, distributed via fake websites, exfiltrate contacts, SMS, media, and device data.

⚠️ Do NOT install apps from unofficial sources! Stay vigilant.
💬 How can mobile users and organizations improve defenses against spyware? Discuss & follow @technadu for cybersecurity alerts.

#ProSpy #ToSpy #AndroidMalware #CyberSecurity #MobileSecurity #SpywareAlert #Privacy #Infosec #ThreatIntel

Imagine your phone being hijacked like a remote desktop—Klopatra malware uses VNC to let hackers control your Android in real time. Could your device be next?

https://thedefendopsdiaries.com/klopatra-the-vnc-enabled-android-malware-redefining-mobile-threats/

#androidmalware
#klopatra
#vncsecurity
#mobilethreats
#cybersecurity2025

⚠️ Android malware shift → droppers now push spyware & SMS stealers, not just banking trojans.
- Fake apps (gov’t + banking) are spreading in India & Asia.
- Droppers bypass Play Protect until the user clicks Update.
- Also: Facebook Ads abused to spread fake TradingView apps with/ Brokewell trojan in the EU.

💬 Are app store protections keeping up, or is this still user-error driven?
Follow @technadu for mobile threat intel.

#AndroidMalware #CyberSecurity #Spyware #MobileThreats

Alright team, it's been a pretty packed 24 hours in the cyber world! We've got a mix of recent breaches, a critical Docker vulnerability, some clever new AI attack techniques, and a few significant regulatory moves. Let's dive in:

Recent Cyber Attacks & Breaches

- Electronics manufacturer Data I/O, a supplier to major automotive and tech firms, has reported significant operational disruptions following a ransomware attack on August 16th.
- The incident impacted internal and external communications, shipping, manufacturing, and other support functions, with a full restoration timeline currently unknown.
- This highlights how ransomware can cripple multiple business processes, even for companies serving critical supply chains, underscoring the need for robust incident response and recovery plans.
🤫 CyberScoop | https://cyberscoop.com/dataio-ransomware-attack/

- Maryland's Transit Administration (MTA) is investigating a cyberattack that has impacted systems used to organise transportation for disabled people, specifically their "Mobility" service.
- While core bus, subway, and light rail services remain unaffected, the incident has prevented new trip scheduling and rebooking, and impacted real-time information and call centres.
- This is another stark reminder of how cyberattacks can directly affect vulnerable populations and critical public services, necessitating immediate and effective mitigation strategies.
🗞️ The Record | https://therecord.media/maryland-cyberattack-transit-disabled-people

- Farmers Insurance has disclosed a data breach impacting 1.1 million customers, with BleepingComputer confirming the data was stolen via the widespread Salesforce supply chain attacks. Exposed data includes names, addresses, dates of birth, driver's license numbers, and the last four digits of SSNs.
- Separately, French retailer Auchan is notifying hundreds of thousands of customers about a cyberattack that exposed loyalty account data, including full names, postal addresses, email, phone numbers, and loyalty card numbers, though bank data and passwords were not impacted.
- These incidents underscore the persistent threat of supply chain attacks (like the Salesforce vishing campaign by UNC6040/UNC6240/ShinyHunters/Scattered Spider) and the broad impact of data breaches on customer privacy, even when sensitive financial data isn't directly compromised.
🗞️ The Record | https://therecord.media/farmers-insurance-million-data-breach
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/auchan-retailer-data-breach-impacts-hundreds-of-thousands-of-customers/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/farmers-insurance-data-breach-impacts-11m-people-after-salesforce-attack/

- US authorities, with assistance from major tech firms like AWS, Cloudflare, and Google, have charged Oregon resident Ethan Foltz, 22, for allegedly operating the Rapper Bot DDoS network.
- The botnet, comprising up to 95,000 infected machines (many being WiFi routers and DVRs), launched over 370,000 attacks, some reaching 6 terabits per second, targeting a US government agency, a social media platform, and tech companies.
- This successful takedown highlights the ongoing collaboration between law enforcement and industry partners in disrupting large-scale cybercrime operations and holding perpetrators accountable.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/08/25/infosec_in_brief/

- South Korean police have arrested a Chinese national, identified as Jeon, suspected of leading a hacking ring that stole over $29 million from wealthy victims, including BTS singer Jungkook.
- The group allegedly exploited Korean telecom websites to steal personal data, then used it to open mobile phone accounts and access victims' bank and cryptocurrency accounts.
- This case demonstrates the global reach of cybercrime and the importance of international cooperation (Interpol, Thai officials) in tracking and apprehending threat actors.
🗞️ The Record | https://therecord.media/south-korea-arrests-hacker-accused-of-targeting-celebrities-bts

Vulnerabilities

- A critical Server-Side Request Forgery (SSRF) vulnerability, CVE-2025-9074 (CVSS 9.3), has been discovered in Docker Desktop for Windows and macOS, allowing malicious containers to compromise the host.
- The flaw enables unauthenticated access to the Docker Engine API from within any container, even with Enhanced Container Isolation (ECI) active, allowing attackers to launch new containers and access host files.
- On Windows, this can lead to full administrator privileges by mounting the host filesystem and overwriting system DLLs, while macOS is safer due to additional isolation layers, though backdooring remains a risk. Docker Desktop version 4.44.3 addresses this.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/critical-docker-desktop-flaw-lets-attackers-hijack-windows-hosts/

New Threat Research & Techniques

- Zscaler's ThreatLabs identified 77 malicious Android apps, with over 19 million installs, delivering various malware families including adware, Joker, Harly, and the Anatsa (Tea Bot) banking trojan.
- Joker malware can read/send SMS, take screenshots, make calls, steal contacts, and subscribe users to premium services, while Anatsa now targets 831 banking/crypto apps and includes a keylogger.
- Google has removed the reported apps, but users are urged to keep Play Protect active, only trust reputable publishers, review app permissions carefully, and take immediate action with their banks if Anatsa is suspected.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/malicious-android-apps-with-19m-installs-removed-from-google-play/

- Researchers at Trail of Bits have developed a new attack method that injects malicious prompts into images, invisible to the human eye, which become apparent when the image is downscaled by AI systems.
- This technique exploits image resampling algorithms (like bicubic interpolation) to reveal hidden text that the AI model then interprets as part of the user's instructions, potentially leading to data leakage or other unauthorised actions.
- The attack has been demonstrated against Google Gemini CLI, Vertex AI Studio, Gemini's web interface/API, Google Assistant, and Genspark, highlighting a widespread vector that requires AI systems to implement dimension restrictions, provide user previews, and seek explicit confirmation for sensitive tool calls.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-ai-attack-hides-data-theft-prompts-in-downscaled-images/

- Perplexity's Comet, an AI browser, has shown concerning security flaws, including an inability to distinguish between real and fake e-commerce sites and susceptibility to prompt injection attacks that can bypass CAPTCHA.
- These prompt injection attacks could allow an attacker to control the AI, enabling it to send emails with personal details, grant file-sharing permissions, or execute other actions its permissions allow.
- The ease with which Comet was fooled raises significant concerns about the security of agentic AI browsers and the potential for attackers to leverage AI to automate and scale social engineering tactics.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/08/25/infosec_in_brief/

Data Privacy

- The University of Melbourne used Wi-Fi location data to identify students participating in a sit-in protest in July 2024, leading to an investigation by Victoria’s Office of the Information Commissioner.
- While CCTV use was deemed not to breach privacy, the use of Wi-Fi data was, as the university's policies lacked sufficient detail, meaning students couldn't make an informed choice about using the network.
- The university has since changed its policies, but this incident serves as a critical reminder for organisations to ensure transparency and clear policies regarding the collection and use of location data, especially in sensitive contexts.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/08/25/asia_tech_news_in_brief/

Regulatory & Government Issues

- Senator Ron Wyden has urged Supreme Court Chief Justice John Roberts to commission an independent review of federal court cybersecurity, citing "incompetence" and "negligence" following recent breaches.
- Hackers reportedly stole sealed case data from federal district courts, exploiting vulnerabilities left unfixed for five years, with alleged Russian hackers suspected in this and a 2020 intrusion.
- Wyden criticised the judiciary's "glacial speed" in adopting phishing-resistant multi-factor authentication and accused them of "covering up" their failures, highlighting a severe national security threat due to mishandling sensitive information.
🤫 CyberScoop | https://cyberscoop.com/blistering-wyden-letter-seeks-review-of-federal-court-cybersecurity-citing-incompetence-negligence/
🗞️ The Record | https://therecord.media/wyden-probe-federal-judiciary-data-breaches

- The Federal Communications Commission (FCC) has blocked over 1,200 voice service providers from accessing the US phone network for failing to comply with anti-robocall regulations, marking its largest enforcement action.
- These providers violated rules requiring accurate certifications in the Robocall Mitigation Database and STIR/SHAKEN caller authentication protocols, which verify caller identity.
- This aggressive move aims to combat the persistent issue of robocalls, which remain a top consumer complaint, and underscores the FCC's commitment to enforcing compliance, even as robocallers adapt their tactics.
🤫 CyberScoop | https://cyberscoop.com/fcc-robocall-action-operation-robocall-roundup/

- A senior Russian official has indicated the government is considering blocking Google Meet, following brief disruptions last week, as part of a broader crackdown on foreign tech deemed a national security threat.
- This move aligns with Russia's ongoing efforts to promote state-backed alternatives, such as the Max messaging app, and follows recent restrictions on voice and video calls on WhatsApp and Telegram.
- The potential ban highlights Russia's increasing digital sovereignty ambitions and its willingness to restrict Western services, accusing them of enabling surveillance or facilitating illicit activities.
🗞️ The Record | https://therecord.media/russia-google-meet-ban-crackdown

Everything Else

- Microsoft has unveiled its Quantum Safe Program Strategy, aiming to harden its operating systems, cryptographic protocols, and applications against future quantum computer attacks.
- The company plans to introduce quantum safeguards starting in 2029 and roll them out across its entire codebase by 2033, ahead of the US government's deadline.
- This proactive approach addresses the "harvest now, decrypt later" threat, where malicious actors collect encrypted data today with the intent to decrypt it using future quantum capabilities, emphasising the immediate need for transition to quantum-safe cryptography.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/08/25/infosec_in_brief/

- Former US Navy Petty Officer Jinchao Wei has been found guilty of stealing valuable missile technology and critical systems, selling them to the Chinese government for less than $15,000.
- Over 18 months, Wei passed more than 55 classified military manuals on ships and their systems, as well as information on restricted naval base areas, demonstrating a severe betrayal of trust.
- This conviction underscores the persistent threat of insider espionage and the critical importance of national security clearances and robust counter-intelligence measures within military and government organisations.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/08/25/infosec_in_brief/

#CyberSecurity #ThreatIntelligence #Ransomware #DataBreach #Vulnerability #Docker #AI #PromptInjection #AndroidMalware #DDoS #Cybercrime #DataPrivacy #Regulatory #InfoSec #CyberAttack #IncidentResponse