Google has released a partial patch for the Pixnapping attack and is working on an additional fix.

The post Pixnapping Attack Steals Data From Google, Samsung Android Phones appeared first on SecurityWeek.

APPLE By Will Fastie> Now that Apple’s “OS 26” versions are out, I decided to examine Apple’s macOS update process on my Mac mini, now named “Orchard.” There was one thing in particular I wanted to check out, which I’ll detail at the end of the article. In general, my purpose was to see how […]

A fast-spreading Android spyware is mushrooming across Russia, camouflaging itself as popular apps like TikTok or YouTube, researchers at Zimperium have revealed in a blog post.

The company told CyberScoop they expect the campaign is likely to expand beyond Russian borders, too.

In three months, Zimperium zLabs researchers observed more than 600 samples, the company wrote in a blog post Thursday. Once implanted, the spyware can steal text messages, call logs, device information and more, and wrest control of a phone to do things like take pictures or place phone calls.

“It’s mainly targeting Russia, but they can always adapt to other payloads, and since every inflected phone then becomes an attack vector, it’s likely to become a global campaign,” said Nico Chiaraviglio, chief scientist at Zimperium. “However, it’s not easy to know the attackers’ intentions.”

The spyware, dubbed ClayRat, has some notable tools it uses to infect victims.

“ClayRat poses a serious threat not only because of its extensive surveillance capabilities, but also because of its abuse of Android’s default SMS handler role,” the blog post reads. “This technique allows it to bypass standard runtime permission prompts and gain access to sensitive data without raising alarms.”

It’s also been evolving quickly, Zimperium said, “adding new layers of obfuscation and packing to evade detection.”

Zimperium didn’t say who was behind the spyware. The Russian government is a cyberspace power, but typically hasn’t had to rely on spyware vendors, per se, as it has its own capabilities. Often — but not always — spyware linked to or suspected to be linked to the Kremlin is turned inwards, snooping on domestic targets.

“ClayRat is distributed through a highly orchestrated mix of social engineering and web-based deception, designed to exploit user trust and convenience,” according to Zimperium. “The campaign relies heavily on Telegram channels and phishing websites that impersonate well-known services and applications.”

ClayRat’s users also rely on phishing platforms.

The post Russian spyware ClayRat is spreading, evolving quickly, according to Zimperium appeared first on CyberScoop.

An anonymous reader quotes a report from Ars Technica: As we careen toward a future in which Google has final say over what apps you can run, the company has sought to assuage the community's fears with a blog post and a casual "backstage" video. Google has said again and again since announcing the change that sideloading isn't going anywhere, but it's definitely not going to be as easy. The new information confirms app installs will be more reliant on the cloud, and devs can expect new fees, but there will be an escape hatch for hobbyists. Confirming app verification status will be the job of a new system component called the Android Developer Verifier, which will be rolled out to devices in the next major release of Android 16. Google explains that phones must ensure each app has a package name and signing keys that have been registered with Google at the time of installation. This process may break the popular FOSS storefront F-Droid. It would be impossible for your phone to carry a database of all verified apps, so this process may require Internet access. Google plans to have a local cache of the most common sideloaded apps on devices, but for anything else, an Internet connection is required. Google suggests alternative app stores will be able to use a pre-auth token to bypass network calls, but it's still deciding how that will work. The financial arrangement has been murky since the initial announcement, but it's getting clearer. Even though Google's largely automated verification process has been described as simple, it's still going to cost developers money. The verification process will mirror the current Google Play registration fee of $25, which Google claims will go to cover administrative costs. So anyone wishing to distribute an app on Android outside of Google's ecosystem has to pay Google to do so. What if you don't need to distribute apps widely? This is the one piece of good news as developer verification takes shape. Google will let hobbyists and students sign up with only an email for a lesser tier of verification. This won't cost anything, but there will be an unclear limit on how many times these apps can be installed. The team in the video strongly encourages everyone to go through the full verification process (and pay Google for the privilege). We've asked Google for more specifics here.

Read more of this story at Slashdot.

Researchers have found two Android spyware families masquerading as messaging apps Signal and ToTok, apparently targeting residents of the United Arab Emirates.

ESET revealed the spyware campaigns Thursday in a blog post, saying that researchers discovered it in June but believe it dates back to last year. They dubbed the campaigns ProSpy and ToSpy, with the first impersonating both Signal and ToTok, and the second just ToTok.

ToTok has been effectively discontinued since 2020, after The New York Times reported that the app itself was a spying tool for the government of the UAE. The spyware was posing as an enhanced version of the app, ToTok Pro, ESET said.

Upon download, the spyware requests permission to access contacts, text messages and stored files, and once granted, it can start exfiltrating data, according to the researchers. That includes the data for which it sought permission, but also device information, audio, video, images and chat backups.

“Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services,” said ESET researcher Lukáš Štefanko, who made the discovery. “Notably, one of the websites distributing the ToSpy malware family mimicked the Samsung Galaxy Store, luring users into manually downloading and installing a malicious version of the ToTok app.

“Confirmed detections in the UAE and the use of phishing and fake app stores suggest regionally focused operations with strategic delivery mechanisms,” he said.

It’s not the first time hackers have disguised malware in phony messaging apps. ESET shined a spotlight on the phenomenon last year, pointing to fake WhatsApp updates with mysterious intentions, copycat Telegram and WhatsApp websites for stealing cryptocurrency and a Chinese government-linked group seeking to distribute Android BadBazaar espionage code through authentic-looking Signal and Telegram apps.

ESET concluded that the latest spyware campaigns are likely targeting privacy-conscious UAE residents partly because the ToTok app was primarily used there and also because of a domain name ending in the substring “ae.net,” with “AE” being the two-letter country code for UAE.

“Given the app’s regional popularity and the impersonation tactics used by the threat actors, it is reasonable to speculate that the primary targets of this spyware campaign are users in the UAE or surrounding regions,” ESET wrote in its blog post.

The post Android spyware disguised as legitimate messaging apps targets UAE victims, researchers reveal appeared first on CyberScoop.

F-Droid has warned that Google's upcoming developer verification program will kill the free and open source app repository. Google announced plans several weeks ago to force all Android app developers to register their apps and identity with the company. Apps not validated by Google will not be installable on certified Android devices. F-Droid says it cannot require developers to register with Google or take over app identifiers to register for them. The site operators say doing so would effectively take over distribution rights from app authors. Google plans to begin testing the verification scheme in the coming weeks and may charge registration fees. Unverified apps will start being blocked next year in Brazil, Indonesia, Singapore, and Thailand before expanding globally in 2027. F-Droid is calling on US and EU regulators to intervene.

Read more of this story at Slashdot.

Qualcomm CEO Cristiano Amon told attendees at yesterday's Snapdragon Summit opening keynote that he has seen Google's merged Android-ChromeOS platform for PCs. Speaking alongside Google's head of platforms and devices Rick Osterloh, Amon said the software "delivers on the vision of convergence of mobile and PC" and that he "can't wait to have one." Osterloh confirmed Google is building a common technical foundation for PCs and desktop computing systems that combines Android and ChromeOS. The platform will include Gemini, the full Android AI stack, all Google applications and the Android developer community. "I've seen it, it is incredible," replied Amon excitedly. "It delivers on the vision of convergence of mobile and PC. I can't wait to have one."

Read more of this story at Slashdot.

Researchers from Nanjing University and the University of Sydney developed an AI-powered bug-hunting agent that mimics human vulnerability discovery, validating flaws with proof-of-concept exploits. The Register reports: Ziyue Wang (Nanjing) and Liyi Zhou (Sydney) have expanded upon prior work dubbed A1, an AI agent that can develop exploits for cryptocurrency smart contracts, with A2, an AI agent capable of vulnerability discovery and validation in Android apps. They describe A2 in a preprint paper titled "Agentic Discovery and Validation of Android App Vulnerabilities." The authors claim that the A2 system achieves 78.3 percent coverage on the Ghera benchmark, surpassing static analyzers like APKHunt (30.0 percent). And they say that, when they used A2 on 169 production APKs, they found "104 true-positive zero-day vulnerabilities," 57 of which were self-validated via automatically generated proof-of-concept (PoC) exploits. One of these included a medium-severity flaw in an Android app with over 10 million installs.

Read more of this story at Slashdot.

Google's September Pixel drop brings the new Material 3 Expressive UI, AI-powered Gboard writing tools, and Bluetooth Auracast upgrades to older Pixel devices, including the Pixel 6 and Pixel Tablet. "Among other tweaks, Google made it possible to add 'Live Effects,' including a few that cover the weather, to your phone's lock screen wallpaper," notes Engadget. "Material 3 Expressive also gives you more control over how the contact cards your phone displays when your friends and family call you look. Even if you're not one to endlessly tweak Android's appearance, as part of the redesign Google has once again reworked the Quick Settings pane in hopes of making it easier to use." On the audio front, Pixel Buds Pro 2 gain intuitive nod-and-shake gesture controls, Adaptive Audio for balanced awareness, and Loud Noise Protection to guard against sudden sound spikes. Voice clarity has also been improved with Gemini Live in noisy environments. A full breakdown of what's new can be found here.

Read more of this story at Slashdot.

Google warned that two actively exploited zero-day vulnerabilities affecting Android devices have been patched in its September security update, which addresses 120 software defects total. 

The zero-days — CVE-2025-38352 affecting the kernel and CVE-2025-48543 affecting Android Runtime — are both high-severity defects that don’t require user interaction for exploitation and could lead to escalation of privilege with no additional execution privileges needed. Google said there are indications that both of the vulnerabilities may be under limited, targeted exploitation.

Google hasn’t included an actively exploited defect in its monthly batch of patches since May. The total number of vulnerabilities disclosed this month is also the highest this year. 

The Android security update contains two patch levels — 2025-09-01 and 2025-09-05 — allowing Android partners to address common vulnerabilities on different devices.

Third-party Android device manufacturers release security patches on their own schedule after they’ve customized operating system updates for their specific hardware.

The primary security update contains one critical vulnerability affecting the system component, CVE-2025-48539, which could lead to remote code execution. The first patch level also addresses 29 vulnerabilities in the framework, 28 in the system, one defect affecting Widevine DRM components and nine Google Play system updates.

The second patch includes fixes for three vulnerabilities affecting the kernel, three Arm components defects, 10 Imagination Technologies bugs and four vulnerabilities affecting MediaTek components. The update also addresses 32 vulnerabilities affecting Qualcomm components, including 27 closed-source components. 

Three of the vulnerabilities affecting Qualcomm’s proprietary components — CVE-2025-21450, CVE-2025-21483 and CVE-2025-27034 — are designated as critical.

Google said source code patches for all vulnerabilities addressed in this month’s security update will be released to the Android Open Source Project repository by Thursday.

The post Google patches two Android zero-days, 120 defects total in September security update appeared first on CyberScoop.

Google will require identity verification for all Android app developers, including those distributing apps outside the Play Store, starting September 2026 in Brazil, Indonesia, Singapore, and Thailand before expanding globally through 2027. Developers must register through a new Android Developer Console beginning March 2026. The requirement applies to certified Android devices running Google Mobile Services. Google cited malware prevention as the primary motivation, noting sideloaded apps contain 50 times more malware than Play Store apps. Hobbyist and student developers will receive separate account types. Developer information submitted to Google will not be displayed to users.

Read more of this story at Slashdot.

"Google has confirmed that its Battery Health Assistance feature can't be turned off on the Pixel 10 phones," reports Android Authority: Google introduced a Battery Health Assistance feature on the Pixel 9a earlier this year. This feature gradually drops your phone's charging speed and battery voltage in the name of battery health. This tool is mandatory on the Pixel 9a but optional on other Pixel phones. However, there's bad news for the Pixel 10 series. Google confirmed to Android Authority that Battery Health Assistance is mandatory on the Pixel 10 series and can't be disabled. That means your phone's charging speed and effective battery life will drop over time... All smartphone batteries degrade over time, resulting in shorter and shorter endurance. Google says the Pixel 8a and newer Pixel phones can withstand 1,000 charging cycles before their batteries drop down to 80% effective capacity. However, this Battery Health Assistance feature essentially reduces the phone's battery capacity over and above standard degradation. This is particularly disappointing as users aren't given a choice in the matter. It's also disappointing as some rival smartphone makers address battery health concerns by offering more durable batteries. For example, Samsung's top phones can withstand 2,000 charging cycles before dropping down to 80% effective capacity, while OnePlus and OPPO's lithium-ion batteries offer 1,600 cycles before reaching 80% capacity. So there likely wouldn't be a need for a Battery Health Assistance tool if Google's batteries had similar longevity. "The issue also comes after several older Pixel A series models suffered from major battery issues in 2025..."

Read more of this story at Slashdot.

Google's Android 16 QPR2 beta 1 is rolling out with new customization features, including the ability to force dark mode and icon themes on apps that don't support them. The update also adds enhanced parental controls, better data migration, PDF editing, and Bluetooth audio sharing, with a full release expected in December. The Verge reports: The beta includes a new dark theme option that will "intelligently invert the UI of apps that appear light despite users having selected the dark theme" when enabled, according to Google's announcement, forcibly making apps that don't natively support the feature to appear darker. Google says this is "largely intended as an accessibility feature" for users with low vision or photosensitivity, and will also automatically darken app splash screens and adjust status bar colors to match the darker theming. Another feature will allow users to forcibly apply themed icon colors to apps that don't natively support them. Android's icon theming currently only works if app developers have provided a monochrome version of their app icon that can be adjusted, which is annoying for users who want to apply a consistent aesthetic across their entire home page. Auto-themed app icons spare developers from adding this capability manually, removing the hassle for users to customize their phone's theme. The full list of features in the QPR2 beta 1 update can be found on the Android developers' blog.

Read more of this story at Slashdot.

Google addressed six vulnerabilities affecting Android devices in its August security update, marking a months-long lull in the number of software defects disclosed and patched in the mobile operating system this summer.

The company issued no security patches in its update last month. Yet, monthly Android security bulletins typically address dozens of vulnerabilities. Google’s Android security update covered 34 vulnerabilities in June, 47 defects in May, 62 in April and 43 in March.

The summer break suggests Android partners and customers have experienced a temporary respite from a larger pool of vulnerabilities. Google notifies Android partners of all software defects affecting the mobile operating system at least a month before public disclosure.

Google said the most severe defect in this month’s security update — CVE-2025-48530 — is a critical remote code execution vulnerability in the Android system that doesn’t require user interaction or additional execution privileges for exploitation. 

The advisory also addressed two high-severity vulnerabilities — CVE-2025-22441 and CVE-2025-48533 — affecting the Android framework. Google said user interaction and additional privileges aren’t required to exploit the elevation of privilege defects.

None of the vulnerabilities addressed in this month’s security update are under active exploitation, according to Google. The company hasn’t included an actively exploited defect in its monthly batch of patches since May.

The Android security update contains two patch levels — 2025-08-01 and 2025-08-05 — allowing Android partners to address common vulnerabilities on different devices.

The second patch includes fixes for a high-severity vulnerability affecting Arm components and two vulnerabilities in Qualcomm components.

Third-party Android device manufacturers release security patches on their own schedule after they’ve customized operating system updates for their specific hardware.

Google said source code patches for all six vulnerabilities addressed in this month’s security update will be released to the Android Open Source Project repository by Wednesday.

The post Google addresses six vulnerabilities in August’s Android security update appeared first on CyberScoop.

Lena of Tuta writes: Gemini AI needs to be disabled on Android or it will override your privacy settings and gain full access to your texts, calls, and WhatsApp – even if you’ve turned off Gemini Apps Activity. But what does this Android update really mean, and how can you stop it? Let’s take a...

ISSUE 22.26 • 2025-06-30 Look for our BONUS issue on July 7, 2025!! PUBLIC DEFENDER By Brian Livingston Millions of Android smartphone users worldwide received an unpleasant surprise last month. The text-messaging app they’d long been using had been unceremoniously replaced during a seemingly routine update. Their usual texting vehicle was deep-sixed by Google Messages, […]

This blog will cover how to root an AVD emulator and a physical Pixel 6. But before we cover those topics, let's cover what it is we will be doing and some of the pro/cons of rooting an Android phone.

The post How to Root Android Phones appeared first on Black Hills Information Security, Inc..

China-based purveyors of SMS phishing kits are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google. Until recently, the so-called “Smishing Triad” mainly impersonated toll road operators and shipping companies. But experts say these groups are now directly targeting customers of international financial institutions, while dramatically expanding their cybercrime infrastructure and support staff.

If you own a mobile device, the chances are excellent that at some point in the past two years you’ve received at least one instant message that warns of a delinquent toll road fee, or a wayward package from the U.S. Postal Service (USPS). Those who click the promoted link are brought to a website that spoofs the USPS or a local toll road operator and asks for payment card information.

The site will then complain that the visitor’s bank needs to “verify” the transaction by sending a one-time code via SMS. In reality, the bank is sending that code to the mobile number on file for their customer because the fraudsters have just attempted to enroll that victim’s card details into a mobile wallet.

If the visitor supplies that one-time code, their payment card is then added to a new mobile wallet on an Apple or Google device that is physically controlled by the phishers. The phishing gangs typically load multiple stolen cards to digital wallets on a single Apple or Android device, and then sell those phones in bulk to scammers who use them for fraudulent e-commerce and tap-to-pay transactions.

The moniker “Smishing Triad” comes from Resecurity, which was among the first to report in August 2023 on the emergence of three distinct mobile phishing groups based in China that appeared to share some infrastructure and innovative phishing techniques. But it is a bit of a misnomer because the phishing lures blasted out by these groups are not SMS or text messages in the conventional sense.

Rather, they are sent via iMessage to Apple device users, and via RCS on Google Android devices. Thus, the missives bypass the mobile phone networks entirely and enjoy near 100 percent delivery rate (at least until Apple and Google suspend the spammy accounts).

In a report published on March 24, the Swiss threat intelligence firm Prodaft detailed the rapid pace of innovation coming from the Smishing Triad, which it characterizes as a loosely federated group of Chinese phishing-as-a-service operators with names like Darcula, Lighthouse, and the Xinxin Group.

Prodaft said they’re seeing a significant shift in the underground economy, particularly among Chinese-speaking threat actors who have historically operated in the shadows compared to their Russian-speaking counterparts.

“Chinese-speaking actors are introducing innovative and cost-effective systems, enabling them to target larger user bases with sophisticated services,” Prodaft wrote. “Their approach marks a new era in underground business practices, emphasizing scalability and efficiency in cybercriminal operations.”

A new report from researchers at the security firm SilentPush finds the Smishing Triad members have expanded into selling mobile phishing kits targeting customers of global financial institutions like CitiGroup, MasterCard, PayPal, Stripe, and Visa, as well as banks in Canada, Latin America, Australia and the broader Asia-Pacific region.

SilentPush found the Smishing Triad now spoofs recognizable brands in a variety of industry verticals across at least 121 countries and a vast number of industries, including the postal, logistics, telecommunications, transportation, finance, retail and public sectors.

According to SilentPush, the domains used by the Smishing Triad are rotated frequently, with approximately 25,000 phishing domains active during any 8-day period and a majority of them sitting at two Chinese hosting companies: Tencent (AS132203) and Alibaba (AS45102).

“With nearly two-thirds of all countries in the world targeted by [the] Smishing Triad, it’s safe to say they are essentially targeting every country with modern infrastructure outside of Iran, North Korea, and Russia,” SilentPush wrote. “Our team has observed some potential targeting in Russia (such as domains that mentioned their country codes), but nothing definitive enough to indicate Russia is a persistent target. Interestingly, even though these are Chinese threat actors, we have seen instances of targeting aimed at Macau and Hong Kong, both special administrative regions of China.”

SilentPush’s Zach Edwards said his team found a vulnerability that exposed data from one of the Smishing Triad’s phishing pages, which revealed the number of visits each site received each day across thousands of phishing domains that were active at the time. Based on that data, SilentPush estimates those phishing pages received well more than a million visits within a 20-day time span.

The report notes the Smishing Triad boasts it has “300+ front desk staff worldwide” involved in one of their more popular phishing kits — Lighthouse — staff that is mainly used to support various aspects of the group’s fraud and cash-out schemes.

The Smishing Triad members maintain their own Chinese-language sales channels on Telegram, which frequently offer videos and photos of their staff hard at work. Some of those images include massive walls of phones used to send phishing messages, with human operators seated directly in front of them ready to receive any time-sensitive one-time codes.

As noted in February’s story How Phished Data Turns Into Apple and Google Wallets, one of those cash-out schemes involves an Android app called Z-NFC, which can relay a valid NFC transaction from one of these compromised digital wallets to anywhere in the world. For a $500 month subscription, the customer can wave their phone at any payment terminal that accepts Apple or Google pay, and the app will relay an NFC transaction over the Internet from a stolen wallet on a phone in China.

Chinese nationals were recently busted trying to use these NFC apps to buy high-end electronics in Singapore. And in the United States, authorities in California and Tennessee arrested Chinese nationals accused of using NFC apps to fraudulently purchase gift cards from retailers.

The Prodaft researchers said they were able to find a previously undocumented backend management panel for Lucid, a smishing-as-a-service operation tied to the XinXin Group. The panel included victim figures that suggest the smishing campaigns maintain an average success rate of approximately five percent, with some domains receiving over 500 visits per week.

“In one observed instance, a single phishing website captured 30 credit card records from 550 victim interactions over a 7-day period,” Prodaft wrote.

Prodaft’s report details how the Smishing Triad has achieved such success in sending their spam messages. For example, one phishing vendor appears to send out messages using dozens of Android device emulators running in parallel on a single machine.

According to Prodaft, the threat actors first acquire phone numbers through various means including data breaches, open-source intelligence, or purchased lists from underground markets. They then exploit technical gaps in sender ID validation within both messaging platforms.

“For iMessage, this involves creating temporary Apple IDs with impersonated display names, while RCS exploitation leverages carrier implementation inconsistencies in sender verification,” Prodaft wrote. “Message delivery occurs through automated platforms using VoIP numbers or compromised credentials, often deployed in precisely timed multi-wave campaigns to maximize effectiveness.

In addition, the phishing links embedded in these messages use time-limited single-use URLs that expire or redirect based on device fingerprinting to evade security analysis, they found.

“The economics strongly favor the attackers, as neither RCS nor iMessage messages incur per-message costs like traditional SMS, enabling high-volume campaigns at minimal operational expense,” Prodaft continued. “The overlap in templates, target pools, and tactics among these platforms underscores a unified threat landscape, with Chinese-speaking actors driving innovation in the underground economy. Their ability to scale operations globally and evasion techniques pose significant challenges to cybersecurity defenses.”

Ford Merrill works in security research at SecAlliance, a CSIS Security Group company. Merrill said he’s observed at least one video of a Windows binary that wraps a Chrome executable and can be used to load in target phone numbers and blast messages via RCS, iMessage, Amazon, Instagram, Facebook, and WhatsApp.

“The evidence we’ve observed suggests the ability for a single device to send approximately 100 messages per second,” Merrill said. “We also believe that there is capability to source country specific SIM cards in volume that allow them to register different online accounts that require validation with specific country codes, and even make those SIM cards available to the physical devices long-term so that services that rely on checks of the validity of the phone number or SIM card presence on a mobile network are thwarted.”

Experts say this fast-growing wave of card fraud persists because far too many financial institutions still default to sending one-time codes via SMS for validating card enrollment in mobile wallets from Apple or Google. KrebsOnSecurity interviewed multiple security executives at non-U.S. financial institutions who spoke on condition of anonymity because they were not authorized to speak to the press. Those banks have since done away with SMS-based one-time codes and are now requiring customers to log in to the bank’s mobile app before they can link their card to a digital wallet.

Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams, and that the accused were relying on a custom Android app to relay tap-to-pay transactions from mobile devices located in China.

Authorities in Knoxville, Tennessee last week said they arrested 11 Chinese nationals accused of buying tens of thousands of dollars worth of gift cards at local retailers with mobile wallets created through online phishing scams. The Knox County Sheriff’s office said the arrests are considered the first in the nation for a new type of tap-to-pay fraud.

Responding to questions about what makes this scheme so remarkable, Knox County said that while it appears the fraudsters are simply buying gift cards, in fact they are using multiple transactions to purchase various gift cards and are plying their scam from state to state.

“These offenders have been traveling nationwide, using stolen credit card information to purchase gift cards and launder funds,” Knox County Chief Deputy Bernie Lyon wrote. “During Monday’s operation, we recovered gift cards valued at over $23,000, all bought with unsuspecting victims’ information.”

Asked for specifics about the mobile devices seized from the suspects, Lyon said “tap-to-pay fraud involves a group utilizing Android phones to conduct Apple Pay transactions utilizing stolen or compromised credit/debit card information,” [emphasis added].

Lyon declined to offer additional specifics about the mechanics of the scam, citing an ongoing investigation.

Ford Merrill works in security research at SecAlliance, a CSIS Security Group company. Merrill said there aren’t many valid use cases for Android phones to transmit Apple Pay transactions. That is, he said, unless they are running a custom Android app that KrebsOnSecurity wrote about last month as part of a deep dive into the operations of China-based phishing cartels that are breathing new life into the payment card fraud industry (a.k.a. “carding”).

How are these China-based phishing groups obtaining stolen payment card data and then loading it onto Google and Apple phones? It all starts with phishing.

If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the U.S. Postal Service to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.

These messages are being sent through sophisticated phishing kits sold by several cybercriminals based in mainland China. And they are not traditional SMS phishing or “smishing” messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the Apple iMessage service and through RCS, the functionally equivalent technology on Google phones.

People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution in response to a request by the fraudsters to link the phished card data to a mobile wallet.

If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control. These phones are then loaded with multiple stolen wallets (often between 5-10 per device) and sold in bulk to scammers on Telegram.

Merrill found that at least one of the Chinese phishing groups sells an Android app called “Z-NFC” that can relay a valid NFC transaction to anywhere in the world. The user simply waves their phone at a local payment terminal that accepts Apple or Google pay, and the app relays an NFC transaction over the Internet from a phone in China.

“I would be shocked if this wasn’t the NFC relay app,” Merrill said, concerning the arrested suspects in Tennessee.

Merrill said the Z-NFC software can work from anywhere in the world, and that one phishing gang offers the software for $500 a month.

“It can relay both NFC enabled tap-to-pay as well as any digital wallet,” Merrill said. “They even have 24-hour support.”

On March 16, the ABC affiliate in Sacramento (ABC10), Calif. aired a segment about two Chinese nationals who were arrested after using an app to run stolen credit cards at a local Target store. The news story quoted investigators saying the men were trying to buy gift cards using a mobile app that cycled through more than 80 stolen payment cards.

ABC10 reported that while most of those transactions were declined, the suspects still made off with $1,400 worth of gift cards. After their arrests, both men reportedly admitted that they were being paid $250 a day to conduct the fraudulent transactions.

Merrill said it’s not unusual for fraud groups to advertise this kind of work on social media networks, including TikTok.

A CBS News story on the Sacramento arrests said one of the suspects tried to use 42 separate bank cards, but that 32 were declined. Even so, the man still was reportedly able to spend $855 in the transactions.

Likewise, the suspect’s alleged accomplice tried 48 transactions on separate cards, finding success 11 times and spending $633, CBS reported.

“It’s interesting that so many of the cards were declined,” Merrill said. “One reason this might be is that banks are getting better at detecting this type of fraud. The other could be that the cards were already used and so they were already flagged for fraud even before these guys had a chance to use them. So there could be some element of just sending these guys out to stores to see if it works, and if not they’re on their own.”

Merrill’s investigation into the Telegram sales channels for these China-based phishing gangs shows their phishing sites are actively manned by fraudsters who sit in front of giant racks of Apple and Google phones that are used to send the spam and respond to replies in real time.

In other words, the phishing websites are powered by real human operators as long as new messages are being sent. Merrill said the criminals appear to send only a few dozen messages at a time, likely because completing the scam takes manual work by the human operators in China. After all, most one-time codes used for mobile wallet provisioning are generally only good for a few minutes before they expire.

For more on how these China-based mobile phishing groups operate, check out How Phished Data Turns Into Apple and Google Wallets.

Hey guys, my name is Connor. I am a web developer here at BHIS who also loves hacking phones. Particularly, Android phones! Today, I am going to show you the basics […]

The post How to Install LineageOS on Your Android Device  appeared first on Black Hills Information Security, Inc..