Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: android (14 articles)Clear

Bad Epoll Linux kernel flaw lets any local user gain root, including on Android

A newly disclosed Linux kernel vulnerability called Bad Epoll lets an ordinary user with no special privileges take full control of a machine as root, and it affects Linux desktops, servers, and Android. Tracked as CVE-2026-46242, the flaw is a use-after-free in epoll, a core Linux feature for watching many files or connections at once that programs and browsers rely on and cannot simply turn off. Two parts of the kernel try to free the same object at once, letting an attacker corrupt kernel memory and climb to root. It is a race-condition bug, harder to exploit than recent deterministic Linux flaws, but a working exploit exists and a fix is available.

Check
Identify Linux servers, workstations, and Android devices in your environment and check their kernel versions against the Bad Epoll fix, prioritizing multi-user systems and anything where untrusted users can run code.
Affected
Linux desktops, servers, and Android devices on kernels without the Bad Epoll fix (CVE-2026-46242); any local user, or code already running with low privileges, can exploit the flaw to gain root.
Fix
Apply the kernel updates that fix Bad Epoll as they reach your distributions and Android devices; there is no workaround, since epoll cannot be disabled, so patching is the only real mitigation.

Eight-year-old Samsung KNOX kernel flaw exposed Galaxy S9 through S25

Researchers at LucidBit Labs detailed an eight-year-old use-after-free flaw in the kernel of Samsung's KNOX security framework that affected a huge range of Galaxy devices, from the Galaxy S9 to the S25, across A-series and both Exynos and Qualcomm models. The bug (CVE-2026-20971) sits in a race between two KNOX components that verify process integrity, and a malicious app could exploit it to corrupt kernel memory and potentially take full control of the device. Samsung quietly fixed it in its January 2026 security update. Exploitation requires local access and some user interaction, but a lost, borrowed, or stolen phone makes that realistic.

Check
Confirm that Samsung Galaxy devices in your environment have installed the January 2026 or later security update, and identify any older or unmanaged Galaxy phones that may still be missing it.
Affected
Samsung Galaxy devices from the S9 through S25, plus A-series models on both Exynos and Qualcomm chips (CVE-2026-20971), that have not applied the January 2026 security update.
Fix
Apply the January 2026 or later Samsung security update to all Galaxy devices, enforce update compliance through mobile device management, and retire devices no longer receiving security patches.

Rokarolla Android trojan hits 217 banking and crypto apps with full device control

Zimperium's zLabs has documented Rokarolla, a new Android banking trojan that targets 217 banking and cryptocurrency apps and accepts 137 remote commands, giving an operator near-total control of an infected phone. It lifts lock-screen PINs, reads and sends text messages to grab one-time codes, rewrites the clipboard to redirect cryptocurrency payments, and disables Google Play Protect. It spreads through malicious websites posing as popular apps like TikTok and Chrome, starting with a dropper disguised as Google Play Protect that abuses Accessibility permissions. The actual theft uses fake login overlays placed on top of real banking apps, and surveillance relies on quiet Accessibility screenshots.

Check
Ensure mobile users install apps only from official stores, keep Google Play Protect on, and treat any app requesting Accessibility access, especially a fake Play Protect prompt, as suspicious.
Affected
Android users who side-load apps from links or sites impersonating TikTok, Chrome, or other popular apps; customers of the 217 targeted banking and cryptocurrency apps are the financial target.
Fix
There is no patch since this is malware. Install only from official app stores, keep Play Protect enabled, deny Accessibility access to untrusted apps, and use mobile threat defense on managed devices.

NFCShare Android malware poses as bank app updates to steal card data

Researchers at D3Lab warn that new versions of the NFCShare Android malware are spreading as fake updates for real banking apps, hosted on GitHub to look legitimate. Targeting customers of European banks, the malware shows a fake verification screen that tells victims to hold their payment card against the phone. It then uses the phone's NFC chip to read the card number, type, and expiry, and tricks the victim into typing their 4-digit PIN, sending it all to the attacker's server. That stolen data feeds NFC relay fraud, where criminals use it to make contactless payments or withdrawals. The malware only works if users sideload it.

Check
On managed Android devices, look for banking apps installed from outside Google Play and any app that requests an NFC card scan during a verification step.
Affected
Android users, mainly customers of European banks, who sideload fake banking app updates from GitHub or other non-Play sources and follow prompts to scan their cards.
Fix
Install banking apps only from Google Play, keep Play Protect enabled, and never scan a payment card or enter a PIN in response to an in-app verification prompt.

Free apps turn smart TVs into hidden web-scraping proxies

Researchers at Include Security have shown how a software kit made by Bright Data, embedded inside free apps on Samsung, LG, and Roku smart TVs, quietly turns those always-on devices into relays for someone else's web-scraping traffic. Users opt in through a consent screen buried in the TV's menu, then their home internet connection is used to fetch web pages for Bright Data's paying customers, many of them AI firms. The researchers found the control channel barely checks who is issuing commands, weaker than many malware families, and on iPhones the traffic even slips past VPNs and normal monitoring tools.

Check
On managed mobile devices, scan apps for the Bright Data SDK using the binary symbols BrdWebSocketFacade and BrdNetwork.DNSResolver, and watch networks for unexplained outbound scraping traffic.
Affected
Samsung, LG, Roku, and other smart TVs plus iOS and Android phones running free apps that bundle the Bright Data (formerly Luminati) residential-proxy SDK.
Fix
Uninstall apps that bundle the proxy SDK, decline the bandwidth-sharing consent prompt, and block the SDK on managed devices via MDM app-vetting and outbound network policy.

Android spyware Asin targets Arabic journalists via fake news and map apps

Security firm ESET has detailed a new Android spyware it calls Asin that targets Arabic-speaking users, likely journalists and open-source investigators. Victims are lured to convincing fake websites posing as a government news service, a secure PDF reader, and live war-map tools, some promoted through Facebook and Telegram pages. The sites offer apps such as GovLens, WarMap, and Syria Defense Map that work as advertised but hide spyware underneath. Because the apps come from outside official stores, victims must manually install them and grant permissions. ESET has not tied the campaign to a known group, and its exact goals remain unclear.

Check
Review managed Android devices for sideloaded apps named GovLens, WarMap, or Syria Defense Map, and check DNS and proxy logs for the known Asin distribution domains.
Affected
Android users in Arabic-speaking regions, especially journalists and OSINT researchers, who sideloaded apps from govlens[.]net, pdf-reader[.]help, live-war-map[.]com, or syriadefensemap[.]com.
Fix
Remove the malicious apps, block the listed domains at your DNS or proxy, disable installation from unknown sources, and run a mobile security scan on affected phones.

Microsoft 365 Android apps leak FOCI SSO tokens to any local app via leftover setIsDebugMode(true) - four CVEs, six apps

Enclave researchers have disclosed FlagLeft, a flaw in Microsoft 365 Android apps that let any local app steal account tokens because a shared Microsoft SDK shipped with setIsDebugMode(true) left in production code, skipping the check that should reject untrusted apps requesting SSO handoff. The leaked FOCI single-sign-on tokens can be refreshed and reused over long periods, with traffic that looks routine in logs. It affected Word, PowerPoint, Excel, Microsoft 365 Copilot, Loop, and OneNote (billions of downloads); Teams shipped the flag false and was unaffected. Microsoft issued four CVEs on May 12 (CVE-2026-41100/41101/41102/42832). The patched Android Word build is 16.0.19822.20190; a malicious on-device app is all it takes.

Check
Push Microsoft 365 Android app updates via MDM. Confirm Word is on build 16.0.19822.20190 or later and other apps updated through Google Play. Audit Android fleets for sideloaded apps.
Affected
Microsoft 365 Android apps (Word, PowerPoint, Excel, Copilot, Loop, OneNote) below the patched builds. A malicious on-device app can steal refreshable FOCI SSO tokens; Teams was unaffected.
Fix
Update all M365 Android apps from Google Play. Note the patch does not revoke already-stolen tokens - revoke active sessions for potentially-affected users and enforce app-install controls on managed devices.

SafeBreach 'Fake Context Alignment' hijacks Google Gemini on Android via malicious WhatsApp/Slack notifications - no malicious app needed, now patched

SafeBreach's Or Yair has demonstrated Fake Context Alignment, a technique that hijacks Google Gemini's voice assistant on Android through malicious notifications from apps like WhatsApp and Slack - no malicious app on the phone required. Gemini's Utilities feature reads and acts on notification text as if it were instructions, an attack surface Yair calls 'effectively infinite.' The bypass runs two illusions at once: it poses the real authorization question in a language the victim does not speak, defeating Google's post-Invitation prompt-injection mitigations. It can fake a boss's message, open windows, force a Zoom call, or poison long-term memory. Google has patched it; no CVE was assigned.

Check
Advise Android users with Gemini to disable or restrict its Utilities notification-reading feature where not essential. Treat unexpected spoken instructions referencing Drive uploads or calls with suspicion.
Affected
Android users with Google Gemini's notification-reading Utilities enabled. Any app or service that can push a notification could inject instructions; iOS and web are not affected. Now patched.
Fix
Ensure Gemini is updated to the patched version. Limit which apps can post notifications Gemini reads. For sensitive actions, require on-screen confirmation rather than voice-only approval.

Google June Android update fixes 124 flaws including exploited Framework zero-day CVE-2025-48595 - also added to CISA KEV same day

Google has released the June 2026 Android security patches addressing 124 vulnerabilities, including CVE-2025-48595, a high-severity Android Framework flaw under limited, targeted exploitation. Local attackers can abuse it to gain code execution and escalate privileges on Android 14 or later. Google fixed 18 critical vulnerabilities this cycle across System, Framework, and Qualcomm closed-source components; the most severe is a critical Framework flaw enabling remote privilege escalation with no user interaction. Two patch levels shipped (2026-06-01 and 2026-06-05). CISA added CVE-2025-48595 to its KEV catalog the same day. Pixel devices get updates immediately; other vendors typically lag. Similar Android Framework flaws have historically been abused by commercial spyware.

Check
Inventory Android fleet by version and patch level. Confirm devices show the 2026-06-05 patch level. Prioritize Android 14+ devices for CVE-2025-48595; push updates via MDM where possible.
Affected
Android 14 and later unpatched against the June 2026 update. CVE-2025-48595 is under limited targeted exploitation; high-interest individuals face the greatest risk from likely-spyware abuse.
Fix
Apply the June 2026 Android update (2026-06-05 patch level). Non-Pixel users: pressure OEMs for timely rollout. FCEB agencies must remediate CVE-2025-48595 per CISA KEV deadline.

Grandoreiro banking trojan and BTMOB Android RAT hit Iberia and Latin America - DLL side-loading, WebRTC P2P, targets Wise and Revolut

WatchGuard and ESET have documented two parallel banking-malware campaigns hitting Windows and Android users across Iberia and Latin America. The Windows campaign delivers Grandoreiro - an actively evolving banking trojan operating since 2016 that targets thousands of institutions across 45 countries - via DLL side-loading of four legitimate applications, using Delphi 11-built DLLs that abuse the sgcWebSockets library for WebRTC peer-to-peer C2 over STUN and ICE protocols to blend with web-conferencing traffic. Named targets include Abanca, Banco de Portugal, BBVA PT, Caixa Geral, Santander, plus Revolut and Wise. A companion campaign delivers the BTMOB RAT to Android users in Brazil.

Check
Hunt Windows endpoints for DLL side-loading of mingwm10.dll, libwebp.dll, libffi-6.dll, or libpng15.dll. Inspect outbound WebRTC/STUN/ICE traffic to unexpected peers. Check for Delphi-built DLLs.
Affected
Banking customers and finance staff in Spain, Portugal, Mexico (Windows/Grandoreiro) and Brazil (Android/BTMOB). Named targets include Abanca, Santander, Banco de Portugal, Revolut, and Wise.
Fix
Apply WatchGuard and ESET IoCs. Block known C2 peers. Train finance staff against phishing links delivering ZIP archives. Deploy mobile threat defense on Android devices accessing banking apps.