Deleted 8 times on WeChat. Permanently suspended on X/Twitter.

The research: 28 CVEs, 3 RCE chains, unauthenticated national digital currency access.

Regulators engaged: CNPD, CSSF, HKMA, PDPC, CNNVD, CIRCL.

Surviving copies:
IPFS: gateway.pinata.cloud/ipfs/QmWUnbmgHsb3BMLufJWhzVaaZqd8j7XMjN2YVUmAGRGJ4C
Web: innora.ai/zfb/
Code: github.com/sgInnora/alipay-securityguard-analysis

If you're in mobile sec: peer review on the Lua VM RCE chain welcome. DMs open.

#InfoSec #censorship #AndroidSecurity

This article more eloquently phrases how I feel about the new #android #sideloading rules: https://www.androidauthority.com/i-dont-recognize-android-i-fell-in-love-with-3650462/ I pretty much agree with everything that this journalist is saying.

The new rules might cause some friction -- but they generally make Android safer for everyone.

And that's always a good thing.

#googleandroid #androidsecurity

Android sideloading is getting a new speed bump: Google will require a 24-hour wait before installing apps from unverified developers, a move supposedly meant to make malware and scam-driven installs harder to pull off.

https://thehackernews.com/2026/03/google-adds-24-hour-wait-for-unverified.html

#AndroidSecurity #Cybersecurity #Malware #MobileSecurity #Google

Perseus Android trojan scans notes for crypto seeds & enables full device takeover via Accessibility abuse.

Advanced evasion marks next-gen mobile threats.

https://www.technadu.com/perseus-malware-based-on-phoenix-and-cerberus-predecessors-initiates-android-device-takeovers-targets-users-personal-notes/623847/

#Infosec #AndroidSecurity #ThreatIntel

🔓 Reverse Engineer Android Apps Hands-On!

𝗔𝗡𝗗𝗥𝗢𝗜𝗗 𝗔𝗣𝗣 𝗧𝗥𝗜𝗖𝗞𝗦: 𝗗𝗘𝗙𝗘𝗡𝗦𝗘𝗦 𝗔𝗡𝗗 𝗕𝗬𝗣𝗔𝗦𝗦𝗘𝗦 (2h Workshop) with Dr. 𝗔𝗟𝗘𝗞𝗦𝗔𝗡𝗗𝗥 𝗣𝗜𝗟𝗚𝗨𝗡

See how attackers target your favourite Android apps! This hands-on 2h workshop puts you in the reverse engineer's shoes: explore popular RE tools/techniques, spot common weaknesses, analyse real-world apps' protection mechanisms (Google Play & dev hardening), and test their limits. Android devs, bring your own Android app to dissect! By the end, you'll know how to identify/exploit flaws and why many defences fall short.

Led by Dr. Aleksandr Pilgun: University of Luxembourg researcher, ACVTool creator for app coverage analysis, expert in fraudulent apps and FinTech RE.

📅 6–8 May 2026 | 09:00–18:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https://2026.bsides.lu/tickets/
🗓️ Schedule link: https://pretalx.com/bsidesluxembourg-2026/schedule/

Hack like the bad guys (ethically) – bring your own app! 📱

#BsidesLuxembourg #Android #ReverseEngineering #AndroidSecurity #Apps #BSides

Signal vs Wire — binary analysis of both APKs (apktool, strings, ELF inspection).

The gap is larger than most people think:

Signal: Rust core (libsignal_jni.so), Kyber-1024 post-quantum hybrid ratchet, SQLCipher for at-rest encryption, SVR with Intel SGX attestation, IME_FLAG_NO_PERSONALIZED_LEARNING (keyboard can't index your messages), zero third-party trackers.

Wire: Kotlin/Ktor, no hardened native core (more accessible to Frida), no SQLCipher (messages extractable in plaintext on rooted devices), no post-quantum, Segment SDK for behavioural telemetry.

But the finding that surprised me most:

Wire APKs from unofficial stores (Uptodown et al.) contain additional tracking workers and ACCESS_SUPERUSER permission requests not present in the official build. Supply chain integrity is not a footnote — it's the threat model.

Conclusion: Signal is the only one of the two suitable for threat models involving physical or administrative device compromise.

soon the full paper

#infosec #AndroidSecurity #Signal #Wire #ReverseEngineering #mobileforensics #supplychain #MASA

Static + dynamic analysis of Signal's APK. The good news first: Signal is genuinely exceptional.

Rust core (libsignal_jni.so), post-quantum hybrid Double Ratchet (Kyber-1024 + X25519), Direct ByteBuffers with immediate zeroing after PIN/username hashing, Intel SGX attestation for SVR — MREnclave verification means even a compromised Signal server can't extract your PIN hash.

But two things stood out:

1. Firebase is always there. Google receives IP + notification timestamps regardless of message content. If you need metadata privacy, Signal still leaks presence data to Google's infrastructure.

2. Certificate revocation endpoints hit http://g.symcd.com in plaintext. An ISP or state-level observer can fingerprint Signal usage from DNS queries and HTTP traffic to those CAs — without touching message content.

Conclusion: strongest crypto engineering in consumer messaging. The attack surface isn't the cryptography. It's the operational dependencies.

Soon the full analysis

#infosec #AndroidSecurity #Signal #privacy #ReverseEngineering #postquantum #mobileforensics

Android 17 is tightening Accessibility API access to stop malware from abusing system permissions.

The update integrates with Advanced Protection Mode to reduce privilege escalation and limit sensitive data access.

https://www.technadu.com/android-17-restricts-accessibility-api-to-prevent-malware-from-requesting-excessive-permissions/623574/

#AndroidSecurity #Infosec #MobileSecurity