A newly disclosed Linux kernel vulnerability called Bad Epoll lets an ordinary user with no special privileges take full control of a machine as root, and it affects Linux desktops, servers, and Android. Tracked as CVE-2026-46242, the flaw is a use-after-free in epoll, a core Linux feature for watching many files or connections at once that programs and browsers rely on and cannot simply turn off. Two parts of the kernel try to free the same object at once, letting an attacker corrupt kernel memory and climb to root. It is a race-condition bug, harder to exploit than recent deterministic Linux flaws, but a working exploit exists and a fix is available.
Researchers at LucidBit Labs detailed an eight-year-old use-after-free flaw in the kernel of Samsung's KNOX security framework that affected a huge range of Galaxy devices, from the Galaxy S9 to the S25, across A-series and both Exynos and Qualcomm models. The bug (CVE-2026-20971) sits in a race between two KNOX components that verify process integrity, and a malicious app could exploit it to corrupt kernel memory and potentially take full control of the device. Samsung quietly fixed it in its January 2026 security update. Exploitation requires local access and some user interaction, but a lost, borrowed, or stolen phone makes that realistic.
Zimperium's zLabs has documented Rokarolla, a new Android banking trojan that targets 217 banking and cryptocurrency apps and accepts 137 remote commands, giving an operator near-total control of an infected phone. It lifts lock-screen PINs, reads and sends text messages to grab one-time codes, rewrites the clipboard to redirect cryptocurrency payments, and disables Google Play Protect. It spreads through malicious websites posing as popular apps like TikTok and Chrome, starting with a dropper disguised as Google Play Protect that abuses Accessibility permissions. The actual theft uses fake login overlays placed on top of real banking apps, and surveillance relies on quiet Accessibility screenshots.
Researchers at D3Lab warn that new versions of the NFCShare Android malware are spreading as fake updates for real banking apps, hosted on GitHub to look legitimate. Targeting customers of European banks, the malware shows a fake verification screen that tells victims to hold their payment card against the phone. It then uses the phone's NFC chip to read the card number, type, and expiry, and tricks the victim into typing their 4-digit PIN, sending it all to the attacker's server. That stolen data feeds NFC relay fraud, where criminals use it to make contactless payments or withdrawals. The malware only works if users sideload it.
Researchers at Include Security have shown how a software kit made by Bright Data, embedded inside free apps on Samsung, LG, and Roku smart TVs, quietly turns those always-on devices into relays for someone else's web-scraping traffic. Users opt in through a consent screen buried in the TV's menu, then their home internet connection is used to fetch web pages for Bright Data's paying customers, many of them AI firms. The researchers found the control channel barely checks who is issuing commands, weaker than many malware families, and on iPhones the traffic even slips past VPNs and normal monitoring tools.
Security firm ESET has detailed a new Android spyware it calls Asin that targets Arabic-speaking users, likely journalists and open-source investigators. Victims are lured to convincing fake websites posing as a government news service, a secure PDF reader, and live war-map tools, some promoted through Facebook and Telegram pages. The sites offer apps such as GovLens, WarMap, and Syria Defense Map that work as advertised but hide spyware underneath. Because the apps come from outside official stores, victims must manually install them and grant permissions. ESET has not tied the campaign to a known group, and its exact goals remain unclear.
Enclave researchers have disclosed FlagLeft, a flaw in Microsoft 365 Android apps that let any local app steal account tokens because a shared Microsoft SDK shipped with setIsDebugMode(true) left in production code, skipping the check that should reject untrusted apps requesting SSO handoff. The leaked FOCI single-sign-on tokens can be refreshed and reused over long periods, with traffic that looks routine in logs. It affected Word, PowerPoint, Excel, Microsoft 365 Copilot, Loop, and OneNote (billions of downloads); Teams shipped the flag false and was unaffected. Microsoft issued four CVEs on May 12 (CVE-2026-41100/41101/41102/42832). The patched Android Word build is 16.0.19822.20190; a malicious on-device app is all it takes.
SafeBreach's Or Yair has demonstrated Fake Context Alignment, a technique that hijacks Google Gemini's voice assistant on Android through malicious notifications from apps like WhatsApp and Slack - no malicious app on the phone required. Gemini's Utilities feature reads and acts on notification text as if it were instructions, an attack surface Yair calls 'effectively infinite.' The bypass runs two illusions at once: it poses the real authorization question in a language the victim does not speak, defeating Google's post-Invitation prompt-injection mitigations. It can fake a boss's message, open windows, force a Zoom call, or poison long-term memory. Google has patched it; no CVE was assigned.
Google has released the June 2026 Android security patches addressing 124 vulnerabilities, including CVE-2025-48595, a high-severity Android Framework flaw under limited, targeted exploitation. Local attackers can abuse it to gain code execution and escalate privileges on Android 14 or later. Google fixed 18 critical vulnerabilities this cycle across System, Framework, and Qualcomm closed-source components; the most severe is a critical Framework flaw enabling remote privilege escalation with no user interaction. Two patch levels shipped (2026-06-01 and 2026-06-05). CISA added CVE-2025-48595 to its KEV catalog the same day. Pixel devices get updates immediately; other vendors typically lag. Similar Android Framework flaws have historically been abused by commercial spyware.
WatchGuard and ESET have documented two parallel banking-malware campaigns hitting Windows and Android users across Iberia and Latin America. The Windows campaign delivers Grandoreiro - an actively evolving banking trojan operating since 2016 that targets thousands of institutions across 45 countries - via DLL side-loading of four legitimate applications, using Delphi 11-built DLLs that abuse the sgcWebSockets library for WebRTC peer-to-peer C2 over STUN and ICE protocols to blend with web-conferencing traffic. Named targets include Abanca, Banco de Portugal, BBVA PT, Caixa Geral, Santander, plus Revolut and Wise. A companion campaign delivers the BTMOB RAT to Android users in Brazil.