Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: mobile (4 articles)Clear

Android spyware Asin targets Arabic journalists via fake news and map apps

Security firm ESET has detailed a new Android spyware it calls Asin that targets Arabic-speaking users, likely journalists and open-source investigators. Victims are lured to convincing fake websites posing as a government news service, a secure PDF reader, and live war-map tools, some promoted through Facebook and Telegram pages. The sites offer apps such as GovLens, WarMap, and Syria Defense Map that work as advertised but hide spyware underneath. Because the apps come from outside official stores, victims must manually install them and grant permissions. ESET has not tied the campaign to a known group, and its exact goals remain unclear.

Check
Review managed Android devices for sideloaded apps named GovLens, WarMap, or Syria Defense Map, and check DNS and proxy logs for the known Asin distribution domains.
Affected
Android users in Arabic-speaking regions, especially journalists and OSINT researchers, who sideloaded apps from govlens[.]net, pdf-reader[.]help, live-war-map[.]com, or syriadefensemap[.]com.
Fix
Remove the malicious apps, block the listed domains at your DNS or proxy, disable installation from unknown sources, and run a mobile security scan on affected phones.

Microsoft 365 Android apps leak FOCI SSO tokens to any local app via leftover setIsDebugMode(true) - four CVEs, six apps

Enclave researchers have disclosed FlagLeft, a flaw in Microsoft 365 Android apps that let any local app steal account tokens because a shared Microsoft SDK shipped with setIsDebugMode(true) left in production code, skipping the check that should reject untrusted apps requesting SSO handoff. The leaked FOCI single-sign-on tokens can be refreshed and reused over long periods, with traffic that looks routine in logs. It affected Word, PowerPoint, Excel, Microsoft 365 Copilot, Loop, and OneNote (billions of downloads); Teams shipped the flag false and was unaffected. Microsoft issued four CVEs on May 12 (CVE-2026-41100/41101/41102/42832). The patched Android Word build is 16.0.19822.20190; a malicious on-device app is all it takes.

Check
Push Microsoft 365 Android app updates via MDM. Confirm Word is on build 16.0.19822.20190 or later and other apps updated through Google Play. Audit Android fleets for sideloaded apps.
Affected
Microsoft 365 Android apps (Word, PowerPoint, Excel, Copilot, Loop, OneNote) below the patched builds. A malicious on-device app can steal refreshable FOCI SSO tokens; Teams was unaffected.
Fix
Update all M365 Android apps from Google Play. Note the patch does not revoke already-stolen tokens - revoke active sessions for potentially-affected users and enforce app-install controls on managed devices.

Forenser documents zero-click WhatsApp account takeover on iPhone iOS 16 - parallel session, no linked devices, used for wire-transfer scams

Italian digital forensics firm Forenser has documented an active zero-click WhatsApp account-takeover campaign targeting iPhone users on iOS 16. Victims (iPhone 8 through 14) reported messages requesting wire transfers being sent from their accounts to recent contacts, with no Linked Devices entries and no QR code interaction. Unified-log analysis shows continuous WhatsApp session-resync events - the signature of two endpoints competing for the same account, with the attacker bypassing the standard linked-device registration. The campaign exploits known iOS 16 vulnerabilities. Affected users do not see archived chats, suggesting the attacker has only recent-chat access. Forenser recommends upgrading to iOS 17 or later.

Check
Search MDM data for iPhones still on iOS 16. Check WhatsApp Linked Devices on possibly-affected handsets (will appear empty). Pull unified logs for continuous resync events if Forenser's IoCs apply.
Affected
iPhone users on iOS 16 (iPhone 8 through 14, including X, XR, XS, 11, SE, 12, 13). WhatsApp on these devices is susceptible to a zero-click parallel-session takeover.
Fix
Upgrade affected iPhones to iOS 17 or later immediately. Sign out and re-register WhatsApp accounts after the upgrade. Educate users to verify suspicious wire-transfer requests via a second channel.

NoVoice Android rootkit hid inside 50+ Google Play apps - 2.3 million downloads, survives factory reset

McAfee uncovered a rootkit campaign called Operation NoVoice that distributed malware through more than 50 legitimate-looking apps on Google Play - cleaners, games, and gallery tools - downloaded at least 2.3 million times. Once opened, the apps silently profile the device and download root exploits targeting Android vulnerabilities patched between 2016 and 2021. After rooting, the malware replaces core system libraries so every app the user opens runs attacker code. It survives factory resets on older devices because the payload lives on the system partition.

Check
Check your Android fleet for devices running security patch levels older than May 2021, and audit for any of the removed apps.
Affected
Android devices with security patch level before 2021-05-01. The rootkit primarily targets older or unpatched devices, though patched devices that installed the apps may have been exposed to other payloads.
Fix
Update Android devices to security patch level 2021-05-01 or later. Devices confirmed infected on Android 7 or older require a full firmware reflash - factory reset will not remove the rootkit. Remove any apps matching the McAfee IOC list. Consider MDM policies that block app installs from unknown or low-reputation publishers.