Xiaomi Rolls Out February 2026 Security Update for HyperOS Devices
Xiaomi has started pushing the February 2026 Android security patch to several HyperOS devices, including Xiaomi, Redmi, and POCO smartphones worldwide.
#mymobprice #XiaomiUpdate #HyperOS #AndroidSecurity #TechNews #XiaomiDevices
How Meta Connected Browsing Activity to Real People on Android
1,747 words, 9 minutes read time.
You think you’re invisible online when you’re in private browsing mode or after clearing cookies, right? I used to think the same thing. But the reality is a little harsher: Meta found ways to keep tabs on Android users even when they were trying to hide. I’m not here to scare you. I’m here to explain exactly how it worked, why it happened, and what you can realistically do about it.
We’ve all had the experience: you browse a few sites, check a couple of things in private, and later see ads that feel almost “too personalized.” You think, How did they know? This Meta case makes it clear that your standard privacy tools — incognito mode, cookie clearing — aren’t always enough. What Meta discovered, and what researchers exposed, is that the ecosystem itself is leaking information, whether you like it or not.
It’s tempting to blame yourself, but you’re not doing anything wrong. In reality, the way apps and browsers interact on Android is complex, and the rules were never designed to make users completely invisible. Meta simply found a way to connect dots that were already there. Understanding how this happened can help you make smarter decisions online — without panicking or quitting your favorite apps.
Tracking Isn’t Just About Cookies
For years, online tracking seemed simple. Websites dropped cookies — little snippets of data that said, “Hello, I recognize you.” Delete them, and the site forgets you. Go incognito, and you think you’re invisible. But modern tracking doesn’t rely solely on cookies. That’s old-school thinking. The industry has gotten smarter, and the methods have evolved to follow you even when you try to hide.
Meta’s approach is a prime example. They didn’t just rely on cookies or logins. Instead, they leveraged patterns of behavior and signals coming from apps and browsers. Think of cookies as leaving a name tag at a party. Take it off, and the host can’t read the name anymore — but they can still notice your face, how you walk, or the drinks you order. Those subtle identifiers are enough for someone skilled to link your behavior back to a real person.
The problem is compounded because these signals are baked into the operating system and how apps communicate. Every tap, every page load, every app interaction produces a tiny “footprint.” When a company like Meta has access to enough footprints, connecting them to accounts becomes almost trivial. In other words, tracking today isn’t about a single cookie — it’s about pattern recognition at scale.
Most people don’t realize how much of this happens behind the scenes. You clear cookies, turn on privacy features, and feel safe. But the ecosystem doesn’t just disappear your digital fingerprints. Understanding that tracking has moved beyond the old tools is the first step toward realistic, practical privacy.
The Android Ecosystem and Its Blind Spots
Android isn’t a sealed system. It’s more like a neighborhood where everyone’s got thin walls, and neighbors sometimes talk over the fences. Apps, browsers, and the operating system constantly exchange small pieces of information — often for legitimate purposes like syncing data or improving app performance. But those same mechanisms can be abused to identify and link users across services.
Think of your apps as apartments in a building. Each apartment is supposed to be private, but thin walls, shared utilities, and building-wide notices mean some information leaks. Meta’s method exploited these subtle leaks — the equivalent of overhearing conversations, noticing repeated patterns, or recognizing footprints in a shared courtyard. These aren’t security flaws in the traditional sense; they’re structural features of how Android is built to allow apps and services to communicate.
Even if you’re careful — you only use trusted apps, you clear cookies, you use incognito mode — the system itself can reveal patterns. Android provides some privacy protections, but they aren’t foolproof. Signals like app activity, device identifiers, and browsing behavior can still combine to form a recognizable profile. Meta’s approach took advantage of these natural “communication channels” between apps and browsers.
The lesson here isn’t to panic or quit Android. It’s to understand that privacy is about controlling what you can, not believing you can erase every trace. The Android ecosystem is complex, and awareness is the best tool you have. Knowing where data flows helps you make smarter choices.
Meta’s New Tracking Method
So, what exactly did Meta do? They didn’t hack your phone. They didn’t exploit a vulnerability that required a patch. Instead, they used existing communication pathways — the way apps and browsers naturally interact — to link browsing activity to real accounts. In plain terms, they stitched together patterns that already existed.
Imagine leaving faint footprints in the sand. On their own, each print is meaningless. But if someone tracks the pattern of steps, the gait, and the direction, they can identify the person walking. Meta’s system worked similarly: it looked at how users moved through apps and web pages and matched those patterns to known accounts. This method bypassed cookie protections and even incognito mode because it didn’t rely on those traditional mechanisms.
It’s also worth noting the scale here. Doing this effectively requires processing millions of data points across users and devices. That’s why most small apps don’t have this capability — but big platforms with massive infrastructure, like Meta, can. This isn’t a single exploit; it’s leveraging the architecture of Android itself to achieve tracking that feels invisible to the user.
For everyday users, the takeaway is clear: your actions, even in “private” modes, can leave a pattern that sophisticated systems can recognize. Understanding this doesn’t make you paranoid; it makes you informed. And informed users make smarter choices.
Why Your Privacy Tools Didn’t Stop It
Let’s address the obvious question: why didn’t incognito mode, cookie clearing, or app sandboxing stop this? The short answer is: because these tools aren’t designed to protect against this type of tracking. They protect specific areas — cookies, stored data, or app isolation — but not the broader patterns of behavior.
Analogy: locking your front door is great, but it doesn’t stop someone from watching the windows. Your privacy tools are doors and locks. Meta found ways to look through the windows, study your movement in the yard, and figure out whose house it was. That’s not a failure on your part; it’s a feature of the system.
Android does have protections against inter-app data sharing, but these are partial and often complicated to configure correctly. Even when you do everything “right,” sophisticated trackers can combine signals to make educated guesses about user identities. It’s frustrating, but it’s also a reminder that privacy isn’t binary.
The realistic takeaway is to understand limitations, not to assume invisibility. Privacy tools reduce exposure, slow down trackers, and add friction to data collection. They are your armor, not a magic shield. Understanding how far that armor stretches helps you make smarter decisions.
What This Means for Everyday Users
Here’s the bottom line: complete invisibility online is nearly impossible if you’re using mainstream apps. Platforms are designed to connect behavior to real users. Meta’s method is a case study in how this works, but it’s not unique. Google, Apple, and other companies also have ways to track activity across services and devices.
That doesn’t mean you’re powerless. The key is being aware. Awareness allows you to make deliberate choices about which apps to use, what permissions to grant, and how to navigate the ecosystem. You don’t need to quit Facebook or Instagram, but understanding their incentives and methods can guide smarter habits.
It also means adjusting expectations. Privacy isn’t a switch you flip; it’s a spectrum you navigate. You can reduce exposure and make tracking harder, but expecting perfect invisibility sets you up for disappointment. Instead, think strategically: what do you want to protect, and which tools realistically help?
Finally, this awareness empowers conversation. When companies expose privacy challenges, informed users can ask better questions, demand better policies, and make more conscious decisions about their digital lives.
Practical Steps You Can Take
Let’s get practical. Here are steps that actually help — no snake oil, no miracle fixes:
The goal is realistic protection, not illusionary invisibility. Awareness, restraint, and intentional choices are your best defense.
Bigger Picture Lessons
Meta’s tracking isn’t an isolated incident — it’s representative of how modern tech handles user data. Privacy tools are often playing catch-up with the incentives of platforms that want to link activity to identities.
For users, the lesson is simple: understand the system, don’t assume safety, and act consciously. For the industry, it’s a reminder that structural protections are often more effective than user-facing features alone. Privacy isn’t something you turn on; it’s something you manage.
Knowing this, you can approach the digital world with less anxiety and more strategy. That’s far more effective than panic or avoidance.
Conclusion
Here’s what you need to remember:
I’m not telling you to quit your apps or abandon your devices. I’m telling you how the game is played, so you can play smarter. The best armor in today’s ecosystem isn’t fear — it’s knowledge.
Call to Action
If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.
D. Bryan King
Sources
The New York Times – Meta’s Android Tracking Loophole
CNBC – How Meta Tracked Users on Android
CyberScoop – Meta’s Tracking Method on Android
KrebsOnSecurity – Tracking and Privacy Insights
Schneier on Security – Practical Privacy Analysis
Mandiant Threat Intelligence Reports
MITRE ATT&CK Framework
NIST Publications on Security and Privacy
Verizon Data Breach Investigations Report
Black Hat Conference Materials
Disclaimer:
The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.
#AndroidBehaviorTracking #AndroidDataPrivacy #AndroidPrivacy #AndroidPrivacyAwareness #AndroidPrivacyGuide #androidSecurity #AndroidSignalTracking #AndroidSurveillance #AndroidUserPrivacy #appPermissions #appTrackingAndroid #appTrackingPrevention #crossAppTracking #digitalFootprint #digitalFootprintReduction #digitalIdentityAndroid #digitalPrivacyForMen #digitalPrivacyTips #everydayAndroidSecurity #incognitoModeTracking #interAppDataSharing #limitTrackingAndroid #MetaAndroidPrivacy #MetaAndroidTracking #MetaCookiesBypass #MetaDataTracking #MetaPrivacyExplained #MetaPrivacyIssue #MetaPrivacyLoophole #MetaPrivacyRisks #MetaTrackingAndroidUsers #MetaTrackingExplained #MetaTrackingLoophole #MetaTrackingMethod #MetaTrackingSolution #MetaUserTracking #mobilePrivacy #mobileTrackingTips #onlinePrivacyGuide #onlineSafetyAndroid #onlineTracking #privacyAwareness #privacyBestPractices #privacyHabitsAndroid #privacySettingsAndroid #privacyToolsAndroid #protectAndroidData #reduceAppTracking #reduceTrackingAndroid #secureAppUsage #secureBrowsingAndroid #smartphonePrivacy #smartphoneSecurityTips #stopMetaTracking #trackingMethods #trackingPatterns #trackingPrevention #userBehaviorTracking
It's been a packed 24 hours in the cyber world with critical zero-day vulnerabilities, evolving threat actor tactics, significant data breaches, and shifts in government policy. Let's dive in:
Critical Zero-Days in Ivanti EPMM and SmarterMail ⚠️
- Ivanti has patched two critical code-injection zero-days (CVE-2026-1281, CVE-2026-1340) in its Endpoint Manager Mobile (EPMM) platform, actively exploited to achieve unauthenticated remote code execution.
- These flaws, with CVSS scores of 9.8, allow attackers to execute arbitrary code and access sensitive data like user credentials, device info, and potentially location data. Temporary RPM scripts are available, but a permanent fix is due in Q1 2026.
- SmarterMail also addressed a critical unauthenticated RCE (CVE-2026-24423, CVSS 9.3) in its ConnectToHub API, and a medium-severity NTLM relay vulnerability (CVE-2026-25067) that could lead to credential coercion. Users are urged to update to Build 9511 (for RCE) and Build 9518 (for NTLM relay) immediately.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/ivanti-warns-of-two-epmm-flaws-exploited-in-zero-day-attacks/
📰 The Hacker News | https://thehackernews.com/2026/01/two-ivanti-epmm-zero-day-rce-flaws.html
📰 The Hacker News | https://thehackernews.com/2026/01/smartermail-fixes-critical.html
Evolving Android Malware and Chinese APT Tactics 🛡️
- A new Android malware campaign is leveraging Hugging Face as a trusted repository to distribute thousands of polymorphic APK variants, disguised as a security app called TrustBastion. It exploits Accessibility Services to steal credentials for financial services like Alipay and WeChat.
- China-linked APTs are actively deploying sophisticated malware: "PeckBirdy," a JScript-based C2 framework, is used by both financially motivated cybercrime groups targeting Chinese gambling sites and espionage groups against Asian government entities.
- UAT-8099, another China-linked threat actor, is targeting vulnerable IIS servers in Asia, particularly Thailand and Vietnam, with BadIIS SEO malware. They use web shells, PowerShell, and legitimate tools like GotoHTTP for remote access and persistence, creating hidden user accounts like "admin$" or "mysql$".
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hugging-face-abused-to-spread-thousands-of-android-malware-variants/
⚫ Dark Reading | https://www.darkreading.com/cyberattacks-data-breaches/chinese-apts-asian-orgs-high-end-malware
📰 The Hacker News | https://thehackernews.com/2026/01/china-linked-uat-8099-targets-iis-servers-in-asia-with-badiis-seo-malware
High-Profile Breaches and IP Theft Conviction 🚨
- Coupang, a major Korean e-commerce site, is under police investigation for allegedly obstructing a probe into a data breach affecting 33.7 million customer accounts, with its CEO questioned and a smashed laptop recovered from a river.
- Thousands more Oregon residents are being notified of health data exposure from the TriZetto data breach, which occurred in November 2024 but wasn't discovered until almost a year later, impacting over 700,000 patients across multiple US states.
- A former Google engineer, Linwei Ding, has been convicted of economic espionage and theft of trade secrets for stealing over 2,000 confidential AI-related documents to benefit a China-based startup he founded.
🗞️ The Record | https://therecord.media/coupang-acting-CEO-questioned-police-investigating-data-breach
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/30/trizetto_health_data_stolen/
📰 The Hacker News | https://thehackernews.com/2026/01/ex-google-engineer-convicted-for.html
Broadening Cyber Threats and Law Enforcement Responses 🌍
- A senior Secret Service official highlighted the "staggering" weakness in the Internet Assigned Numbers Authority (IANA) domain registration system, which facilitates phishing and fraudulent advertising due to insufficient identity validation.
- Google, in collaboration with Cloudflare and Lumen, disrupted IPIDEA, a China-based residential proxy network, removing millions of devices used by cybercriminals and espionage groups, though a significant portion remains active.
- Illicit cryptocurrency flows surged to a record $158 billion in 2025, primarily driven by sanctions-linked activity (Russia, Iran, Venezuela), nation-state use, and improved attribution, despite a slight drop in illicit activity's share of total volume.
- A comprehensive analysis of 418 law enforcement actions (2021-mid-2025) reveals that extortion, malware, and hacking are the most targeted criminal acts, with arrests dominating responses and significant public-private collaboration, particularly from US agencies.
🤫 CyberScoop | https://cyberscoop.com/secret-service-iana-domain-security-weakness/
🤫 CyberScoop | https://cyberscoop.com/ipidea-proxy-network-disrupted-google-lumen/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/crypto-wallets-received-a-record-158-billion-in-illicit-funds-last-year/
📰 The Hacker News | https://thehackernews.com/2026/01/badges-bytes-and-blackmail.html
US Policy Shifts and Microsoft's NTLM Retirement 🏛️
- The White House's OMB rescinded Biden-era mandates for Software Bills of Materials (SBOMs) and software attestation, arguing they prioritised compliance over genuine security, sparking debate among security professionals about the potential impact on software supply chain security.
- CISA faced scrutiny for releasing insider threat guidance shortly after its acting director, Madhu Gottumukkala, reportedly uploaded sensitive documents to a public ChatGPT instance, highlighting a potential disconnect between policy and practice.
- Microsoft announced plans to disable the 30-year-old NTLM authentication protocol by default in future Windows releases, phasing it out in favour of more secure Kerberos-based alternatives due to NTLM's inherent vulnerabilities to relay and pass-the-hash attacks.
⚫ Dark Reading | https://www.darkreading.com/application-security/trump-administration-rescinds-biden-era-sbom-guidance
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/29/cisa_insider_threat_guidance/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/microsoft-to-disable-ntlm-by-default-in-future-windows-releases/
AI Security and Developer Challenges 💡
- A BellSoft survey indicates nearly half of Java developers prefer delegating container security to vendors of hardened containers, despite security being the most important factor in image choice and 23% experiencing container-related incidents.
- An op-ed argues that the US can win the AI race against China not just through advanced models, but by leveraging its robust private-sector cybersecurity industry, which fosters trust and security through real-world threat exposure and market-driven defence.
- Tenable introduced "Tenable One AI Exposure" to its exposure management portfolio, designed to detect, map, and govern the use of agentic and generative AI platforms across enterprise infrastructure, addressing concerns about shadow AI and data leakage.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/30/java_developers_container_security/
🤫 CyberScoop | https://cyberscoop.com/ai-race-china-us-cloud-cybersecurity-trust-security-op-ed/
⚫ Dark Reading | https://www.darkreading.com/cyber-risk/tenable-tackles-ai-governance-shadow-ai-risks-data-exposure
#CyberSecurity #ThreatIntelligence #ZeroDay #RCE #Vulnerability #Malware #APT #AndroidSecurity #IISSecurity #DataBreach #EconomicEspionage #IPTheft #Cybercrime #LawEnforcement #SBOM #NTLM #MicrosoftSecurity #AISecurity #ContainerSecurity #InfoSec
Surfshark ends app updates for Android 5 (Lollipop), citing security risks from unpatched OS versions.
Android 6+ remains supported as of Jan 2026. Users on older devices can still connect via manual VPN or router setups.
https://www.technadu.com/surfshark-android-support-update-affects-older-device-users/618942/
Is dropping legacy Android support the right security call?
I just updated my Samsung Galaxy S25+. As it turns out, my phone was nine updates behind, and it was still running Android 15. There may have been notifications, but somehow I overlooked them. For someone who habitually updates his software, I guess that's why we have the "Auto update system" option in Settings > Developer options.
#Android15 #Android16 #AndroidSecurity #AndroidUpdates #autoupdate #GalaxyS25Plus
Devixor is a new Android banking RAT that also deploys ransomware, targeting Iranian banks, payment services, and crypto platforms via phishing APKs.
Thoughts on hybrid mobile threats?
🔐 Introducing frida-ui
A lightweight, web-based user interface built for Frida - designed to make Android application penetration testing more intuitive and efficient.
📦 Easy to get started:
> uv tool install frida-ui
> frida-ui
Check it out on GitHub - https://github.com/adityatelange/frida-ui
Available on PyPI: https://pypi.org/project/frida-ui
Privacium spotlights privacy-friendly tools for Android users 🔒🌐 Discover open-source, ad-free guidance based on PrivacyGuides criteria. 🚀✨ Check it out on IzzyOnDroid: https://apt.izzysoft.de/fdroid/index/apk/com.kaleedtc.privacium #PrivacyFirst #OpenSource #PrivacyTools #AndroidSecurity
It's been a busy 24 hours in the cyber world with significant updates on recent breaches, actively exploited vulnerabilities, new malware and threat actor insights, and a stark warning about AI's impact on the threat landscape. Let's dive in:
Recent Cyber Attacks and Breaches 🚨
- The University of Phoenix has confirmed a data breach impacting nearly 3.5 million individuals, including students, staff, and suppliers. The Clop ransomware gang exploited a zero-day vulnerability (CVE-2025-61882) in the Oracle E-Business Suite (EBS) to steal sensitive personal and financial information. Harvard and the University of Pennsylvania were also hit by this same Clop campaign.
- Romania's national water management agency, Administrația Națională Apele Române (Romanian Waters), was hit by a ransomware attack that compromised approximately 1,000 systems. Attackers used Windows' built-in BitLocker for encryption, leaving ransom notes, but operational technology (OT) systems and water infrastructure remain unaffected. The National Cyber Security Directorate (DNSC) advises against negotiation.
- France's national postal service, La Poste, and its banking arm, La Banque Postale, experienced service disruptions due to a suspected Distributed Denial-of-Service (DDoS) attack just days before Christmas. While no customer data compromise was reported, online services and parcel distribution were affected. This follows the recent arrest of a 22-year-old suspect for hacking the French Interior Ministry's email server.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/university-of-phoenix-data-breach-impacts-nearly-35-million-individuals/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/22/around_1000_systems_compromised_in/
🗞️ The Record | https://therecord.media/romania-national-water-agency-ransomware-attack
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/romanian-water-authority-hit-by-ransomware-attack-over-weekend/
🗞️ The Record | https://therecord.media/la-poste-france-ddos-disruption-days-before-christmas
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/21/infosec_news_in_brief/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/22/asia_tech_news_roundup/
Vulnerabilities and Active Exploitation ⚠️
- Over 115,000 WatchGuard Firebox devices exposed online remain unpatched against a critical remote code execution (RCE) vulnerability, CVE-2025-14733, which is actively being exploited. This flaw affects Fireware OS 11.x, 12.x, and 2025.1, allowing unauthenticated attackers to execute arbitrary code. CISA has added it to its Known Exploited Vulnerabilities (KEV) Catalog, ordering federal agencies to patch immediately.
- Multiple network security products from Fortinet, SonicWall, and Cisco have also seen vulnerabilities actively exploited. A China-nexus APT, UAT-9686, is abusing CVE-2025-20393 in Cisco AsyncOS to deploy malware like ReverseSSH. SonicWall fixed CVE-2025-40602, a local privilege escalation flaw, which combined with CVE-2025-23006, leads to unauthenticated RCE on SMA 100 series appliances.
- CISA recently added CVE-2025-59374, related to the 2018-2019 "ShadowHammer" supply-chain attack on ASUS Live Update, to its KEV catalog. However, it's crucial to note this is a retrospective classification for an End-of-Life (EoL) product and does not indicate a newly emerging threat or renewed urgency for currently supported systems.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/over-115-000-watchguard-firewalls-vulnerable-to-ongoing-rce-attacks/
⚡ The Hacker News | https://thehackernews.com/2025/12/weekly-recap-firewall-exploits-ai-data.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/not-all-cisa-linked-alerts-are-urgent-asus-live-update-cve-2025-59374/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/21/infosec_news_in_brief/
New Threat Research and Tradecraft 🛡️
- Android malware operations are becoming increasingly sophisticated, merging droppers, SMS theft, and RAT capabilities. "Wonderland" (formerly WretchedCat) is targeting Uzbekistan via malicious droppers, using Telegram for C2, stealing SMS/OTPs, and exfiltrating contacts. Other new Android malware like Cellik (RAT with Play Store integration), Frogblight (SMS phishing for banking creds in Turkey), and NexusRoute (government-branded phishing for RAT in India) highlight this trend.
- A malicious npm package named `lotusbail`, masquerading as a legitimate WhatsApp Web API library, has been found stealing WhatsApp authentication tokens, session keys, intercepting messages, and exfiltrating contacts and media files. The package, a fork of WhiskeySockets Baileys, also grants attackers persistent access to victims' WhatsApp accounts even after removal.
- The MacSync information stealer for macOS has evolved its distribution method, now delivered via a digitally signed and notarised Swift application. This new dropper successfully evades macOS Gatekeeper checks, though the certificate has since been revoked. MacSync is capable of stealing iCloud keychain credentials, browser passwords, cryptocurrency wallet data, and files.
- Ukrainian national Artem Aleksandrovych Stryzhak pleaded guilty to his role as an affiliate in the Nefilim ransomware gang, which targeted high-revenue businesses globally. Stryzhak received 20% of ransom payments and used "Corporate Leaks" sites to pressure victims. Co-conspirator Volodymyr Tymoshchuk, an alleged administrator for Nefilim, LockerGoga, and MegaCortex, remains at large with an $11 million reward offered for information.
- A pro-Ukrainian cyberespionage group, Goffee (also known as Paper Werewolf), is targeting Russian military personnel and defense-industry organisations with phishing campaigns. Lures include fake New Year concert invitations and official-looking letters from the Ministry of Industry and Trade, often featuring AI-generated decoys with linguistic errors. The group deploys the EchoGather backdoor to collect system information and execute commands.
- Other notable threat actor activities include China-aligned Ink Dragon targeting European governments and repurposing victims for further operations, and LongNosedGoblin using Group Policy to deploy the NosyDoor backdoor in Southeast Asia and Japan. North Korean Kimsuky is spreading DocSwap Android malware via QR codes on phishing sites, while Arcane Werewolf targets Russian manufacturing with the Loki 2.1 implant. RansomHouse has upgraded its encryption to a two-factor scheme, making decryption significantly harder.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-macsync-malware-dropper-evades-macos-gatekeeper-checks/
⚡ The Hacker News | https://thehackernews.com/2025/12/android-malware-operations-merge.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/malicious-npm-package-steals-whatsapp-accounts-and-messages/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/ukrainian-hacker-admits-affiliate-role-in-nefilim-ransomware-gang/
🗞️ The Record | https://therecord.media/nefilim-ransomware-hacker-fraud
🗞️ The Record | https://therecord.media/cyber-spies-fake-new-year-concert-russian-phishing
⚡ The Hacker News | https://thehackernews.com/2025/12/weekly-recap-firewall-exploits-ai-data.html
AI's Impact on the Threat Landscape 🤖
- Sanaz Yashar, CEO of Zafran Security and former IDF Unit 8200 "hacking architect," warns that the "WannaCry of AI will happen." She highlights that AI is accelerating the "time-to-exploit" (TTE) to a negative value, meaning vulnerabilities are being weaponised and exploited *before* patches are released.
- Yashar notes that 78% of vulnerabilities are now being weaponised by LLMs and AI, and the increasing use of AI in corporate systems expands the attack surface through prompt injection and AI agent manipulation.
- The greatest danger, she argues, comes from "junior" hackers using AI, who may not understand the full collateral damage of their actions, potentially shutting down critical infrastructure without intent. The solution, she suggests, is also AI, through proactive threat exposure management platforms.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/22/spy_turned_startup_ceo/
Data Privacy Concerns 🔒
- South Korea will now require facial recognition scans for new mobile phone number registrations to combat widespread scams and identity theft. This move comes after two major data breaches this year impacted over half the nation's population, including SK Telecom, which was fined $100 million and ordered to compensate 23 million customers $1.55 billion for poor infosec practices.
- Google is discontinuing its "Dark Web Report" email service, stating it didn't provide "helpful next steps." Users are directed to existing tools like security checkups and password managers, but the "Results about you" tool, which flags personal info in Google Search, requires significant personal data submission.
- A popular Chrome and Microsoft Edge extension, Urban VPN Proxy (with over 7.3 million installs), was caught stealthily harvesting every prompt users entered into AI chatbots like ChatGPT, Claude, and Copilot. This highlights a significant risk of data exposure through seemingly innocuous browser extensions.
- Texas Attorney General Ken Paxton has sued Sony, Samsung, LG, Hisense, and TCL, accusing them of illegally spying on customers by using Automated Content Recognition (ACR) technology in smart TVs. The lawsuit claims ACR captures screenshots and monitors viewing activity without informed consent to serve targeted ads.
- Privacy non-profit noyb has filed GDPR complaints against TikTok, AppsFlyer, and Grindr, alleging unlawful cross-app tracking. A user's Grindr usage, including details about their sexual orientation, was reportedly sent to TikTok via AppsFlyer, raising serious concerns about sensitive data handling.
- A California federal judge has denied NSO Group's request to stay an order preventing them from using WhatsApp infrastructure for spyware attacks. The court found NSO went "far beyond their authorized use" in targeting 1,400 WhatsApp users with Pegasus spyware in 2019.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/22/south_korea_facial_verification/
🗞️ The Record | https://therecord.media/south-korea-facial-recognition-phones
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/21/infosec_news_in_brief/
⚡ The Hacker News | https://thehackernews.com/2025/12/weekly-recap-firewall-exploits-ai-data.html
🗞️ The Record | https://therecord.media/judge-rules-nso-cannot-continue-whatsapp-spyware
Regulatory Actions and Law Enforcement ⚖️
- In response to Japan’s Mobile Software Competition Act (MSCA), Apple and Google have reluctantly begun allowing developers to distribute apps through third-party stores and accept alternative payment providers. Both tech giants expressed concerns about potential increases in malware, fraud, and privacy risks due to these changes.
- An Interpol-coordinated initiative, "Operation Sentinel," led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents across Africa. The operation also took down over 6,000 malicious links and decrypted six distinct ransomware variants.
- US authorities have seized the servers and infrastructure of the E-Note cryptocurrency exchange, alleging it laundered over $70 million from ransomware and account takeover attacks since 2017. The site's operator, a 39-year-old Russian national, has been indicted on conspiracy to launder monetary instruments charges.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/22/asia_tech_news_roundup/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/interpol-led-action-decrypts-6-ransomware-strains-arrests-hundreds/
⚡ The Hacker News | https://thehackernews.com/2025/12/weekly-recap-firewall-exploits-ai-data.html
#CyberSecurity #ThreatIntelligence #Ransomware #Vulnerability #RCE #ZeroDay #APT #Malware #AndroidSecurity #macOSSecurity #DataPrivacy #AI #IncidentResponse #LawEnforcement #InfoSec
Multiple Android malware operations are merging — sharing tools, infrastructure, and scale. Cybercrime is consolidating like an industry. 📱⚠️ #AndroidSecurity #Malware
https://thehackernews.com/2025/12/android-malware-operations-merge.html
Cellik Android malware rebuilds trusted Google Play apps into malicious versions — supply-chain abuse is moving straight into app stores. Trust must be verified, not assumed. 📱⚠️ #AndroidSecurity #SupplyChainRisk
FrogBlight Android banking trojan targets Türkiye via smishing.
https://www.technadu.com/frogblight-android-banking-trojan-targets-turkish-android-users-via-smishing-and-fake-government-court-file-portals/615777/
• Fake government court portals
• Banking credential theft
• Spyware capabilities
• Possible MaaS distribution
An unverified claim has emerged regarding the sale of an Android exploit allegedly impacting versions 12–16 and ARM-based devices. The actor asserts capabilities including remote code execution and privilege escalation, though no public technical validation has been provided.
Such disclosures emphasize the need for disciplined analysis, coordinated validation, and avoidance of premature conclusions.
How do you assess credibility when exploit claims surface without proof-of-concept?
Source: https://x.com/MonThreat/status/2000196921802068226?s=20
Engage in the discussion and follow TechNadu for fact-focused infosec reporting.
#InfoSec #AndroidSecurity #VulnerabilityResearch #ThreatIntel #MobileSecurity #TechNadu
Oh, look! Another tech messiah has arrived, and it's called #GrapheneOS. 🎉 The only Android OS that keeps you safe from... well, everything but boring Mastodon updates and JavaScript woes. 🙄 Go ahead, enable JavaScript, and feel your IQ drop. 📉
https://grapheneos.social/@GrapheneOS/115647408229616018 #TechMessiah #AndroidSecurity #SafeBrowsing #JavaScriptWoes #HackerNews #ngated
CISA has added two Android Framework 0-days (CVE-2025-48572 & CVE-2025-48633) to the KEV list, confirming active exploitation.
Together, they enable privilege escalation and information disclosure, forming a potentially complete compromise path for targeted devices.
Federal agencies have a December 23 patch deadline, and wider organizations are encouraged to roll out updates and monitor for related indicators.
💬 Mobile ecosystems remain a critical attack surface - what best practices have worked for your teams?
Source: https://cybersecuritynews.com/android-0-day-vulnerability-exploited/
Follow us for ongoing vulnerability and threat intelligence updates.
#Cybersecurity #AndroidSecurity #KEV #CISA #ZeroDay #MobileThreats #ThreatIntel #Infosec #SecurityUpdates #DeviceSecurity
Google’s December Android update addresses 107 security flaws, including two Framework vulnerabilities already exploited in targeted scenarios. The release also patches a critical DoS issue and multiple vendor-specific components across major chipsets.
How should mobile ecosystems improve patch adoption across fragmented devices?
Follow us for more neutral, technical cybersecurity updates.
Source: https://thehackernews.com/2025/12/google-patches-107-android-flaws.html
#infosec #androidsecurity #zeroday #vulnresearch #mobilesecurity #threatintel #googlepatch #securitybulletin #technadu
New NFC Malware Surge Targeting European Android Users
https://www.technadu.com/nfc-relay-malware-surge-targets-european-payment-cards/614956/
• 760+ malicious apps spoofing banks & Google Pay
• Exploits HCE to emulate cards for contactless fraud
• Captures EMV data + forwards POS commands in real time
• 70+ servers + Telegram bot ecosystem
The rapid evolution of NFC relay malware suggests coordinated distribution and shared tooling across European threat actors.
Follow us for more deep-dive investigations.
#Cybersecurity #InfoSec #NFCMalware #AndroidSecurity #ThreatIntelligence #EMV
Android app testers and security engineers spend a lot of time dealing with Activities. The attack surface may look small, but a poorly configured Activities can expose data or let other apps do things they shouldn't. In this blog post, David Lodge explains how exported and debug Activities, weak WebView settings, and missing window security flags can pose security concerns.
📌 https://www.pentestpartners.com/security-blog/android-activities-101/
#androidsecurity #cybersecurity #appsec #mobile #pentesting #infosec #securitytesting
Buenos días!
Hoy me he enterado de la existencia de grapheneOS, y cual ha sido mi decepción al ver que solo soporta teléfonos Pixel.
Conocéis alguna alternativa similar para el resto de dispositivos?
---------
Hi folks!
Do you know a privacy-focused alternative to grapheneOS which can be installed on modern non Pixel devices?
---------
#Privacidad #Privacy #Android #DeGoogle #GrapheneOS #OpenSource #FOSS #AndroidSecurity #CustomROM
Second in the session was Zerbini et al.'s "R+R: Matrioska: A User-Centric Defense Against Virtualization-Based Repackaging Malware on Android," which presents a defense with high accuracy against Android virtualization threats. (https://www.acsac.org/2024/program/final/s273.html) 3/6
#AndroidSecurity
