Mobile.md

Mobile Threat Intelligence

Mobile Security Vendor Blogs

• ThreatFabric - https://threatfabric.com/blogs.html
• Cleafy Labs- https://www.cleafy.com/labs
• Lookout - https://www.lookout.com/tag/threat-intelligence
• Zimperium - https://blog.zimperium.com/
• NowSecure - https://www.nowsecure.com/blog/category/research-threat-intel/
• WMC Global - https://www.wmcglobal.com/blog

Mobile Malware Samples

• APKLab - https://www.apklab.io/
• Koodous - https://koodous.com/
• Abuse.ch Bazaar: Android - https://bazaar.abuse.ch/browse/tag/android/
• Abuse.ch Bazaar: APK - https://bazaar.abuse.ch/browse/tag/apk/
• Abuse.ch Bazaar: SMS - https://bazaar.abuse.ch/browse/tag/sms/
• VirusTotal: Android - https://www.virustotal.com/gui/search/android/comments
• VirusTotal: APK - https://www.virustotal.com/gui/search/apk/comments
• VirusTotal: iOS - https://www.virustotal.com/gui/search/ios/comments
• VirusTotal: iPhone - https://www.virustotal.com/gui/search/iphone/comments

Mobile Threat Resources

• Cybersecurity 101: WHAT IS MOBILE MALWARE? - https://www.crowdstrike.com/cybersecurity-101/malware/mobile-malware/
• Mobile Malware Overview by Europol - https://www.europol.europa.eu/operations-services-and-innovation/public-awareness-and-prevention-guides/mobile-malware
• Android Banking Trojan Nexus - https://github.com/BushidoUK/Android-Banking-Trojan-Nexus/blob/main/Android.csv
• Corellium Mobile Virtualization - https://github.com/corellium
• ALL of The Citizen Lab's blogs on mobile spyware - https://citizenlab.ca/category/research/
• Various SIM swapping blogs by Brian Krebs - https://krebsonsecurity.com/category/sim-swapping/

Important Mobile Threat Reports: Cybercrime

• Cerberus Android malware pushed via a compromised Mobile Device Management (MDM) server - by Check Point Research
• Developer of Anubis Android BankBot was arrested in Stavropol, Russia - by stv24
• Out-of-band SMS phishing for Office 365 credentials - by SANS ISC
• WhatsApp accounts hijacked by call forwarding - by Malwarebytes
• Takedown of SMS-based FluBot spyware infecting Android phones - by Europol
• Blog series by Team Cymru on Moqhao Android Banking Trojan botnet:
  • MoqHao Part 1: Identifying Phishing Infrastructure - see here
  • MoqHao Part 1.5: High-Level Trends of Recent Campaigns Targeting Japan - see here
  • MoqHao Part 2: Continued European Expansion - see here
• Next Generation of Latin American Banking Trojans - by Check Point Research
• Massive Fraud Operation Facilitated by Evil Mobile Emulator Farms - by IBM Trusteer

Important Mobile Threat Reports: State-sponsored

• Russia
  • SVR cyberspies used iOS zero-day in LinkedIn phishing campaign - see here
  • Russia's ‘Sandworm’ Hackers Also Targeted Android Phones - see here
  • FancyBear Android mlaware to track Ukrainian Artillery Units - see here
• China
  • Chinese phones with built-in malware sold in Africa - see here
  • How China turned a prize-winning iPhone hack against the Uyghurs - see here
  • Mobile APT Surveillance Campaigns Targeting Uyghurs - see here
• North Korea
  • North Korean Defectors and Journalists Targeted Using Social Networks and fake KakaoTalk app - see here
  • Kimsuky software supply chain attack against Hdac cryptocurrency wallet Android app on Google Play Store - see here
• Iran
  • Domestic Kitten: An Iranian Surveillance Operation - see here
  • Mobile Campaign Bouncing Golf Affects Middle East - see here
  • MuddyWater Android espionage campaigns against Turkey, Afghanistan, and Pakistan - see here
• Turkey
  • StrongPity APT Group Deploys Android Malware - see here
• Pakistan
  • Custom Android and iOS surveillanceware tools Stealth Mango and Tangelo used by the Pakistani military - see here
  • DoNot’s Firestarter abuses Google Firebase Cloud Messaging to spread - see here
• India
  • SideWinder hackers plant fake Android VPN app in Google Play Store - see here
• Syria
  • Nation-state Mobile Malware Targets Syrians with COVID-19 Lures - see here
• Vietnam
  • Hiding in plain sight: PhantomLance walks into a market - see here
• Hamas cyberwarfare division
  • Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials - see here

Mobile Spyware Companies

• Israel-based NSO Group's Pegasus for Android and iOS - see here and here
• Candiru is a secretive Israel-based company that sells spyware exclusively to governments - see here
• Israel-based firm, Cytrox, is part of the “Intellexa alliance,” a range of spyware vendors that emerged in 2019 - see here
• Circles is an Israeli surveillance firm that exploits SS7 vulnerabilities to spy on calls, texts, and location information - see here
• Anglo-German firm, Gamma Group, developed the “strategic wide-scale interception and monitoring solution” FinFisher for iOS and Android - see here
• Russia-based company, Special Technology Centre (STC), developed the Android surveillanceware tool called "Monokle" - see here
• UAE-based company, DarkMatter, that consists of ex-NSA mercenaries who developed mobile exploits and spyware - see here

Mobile Security & Threat Researchers

• https://twitter.com/apkdetect
• https://twitter.com/ThreatFabric
• https://twitter.com/ReBensk
• https://twitter.com/pr3wtd
• https://twitter.com/U039b
• https://twitter.com/bl4ckh0l3z
• https://twitter.com/LukasStefanko
• https://twitter.com/m0br3v
• https://twitter.com/virqdroid
• https://twitter.com/ninoseki
• https://twitter.com/icebre4ker
• https://twitter.com/midnight_comms
• https://twitter.com/aazim_here
• https://twitter.com/sh1shk0va
• https://twitter.com/gaur7v
• https://twitter.com/0xabc0
• https://twitter.com/MrHazum
• https://twitter.com/enovella_
• https://twitter.com/klmitchell212
• https://twitter.com/mem3hack
• https://twitter.com/cryptax