The TikTok application before 23.8.4 for Android allows account takeover. A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website. This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click.

**Report security vulnerabilities**

****Report Security Vulnerabilities****

  
TikTok's mission is to inspire creativity and bring joy. The security and health of our platform closely tie to this mission. If things aren't working properly on TikTok, our dedicated security team is ready to respond and resolve those issues. In addition to our team of experienced security professionals and industry-leading security technologies, we rely on, and value, external input that flag technical security bugs on our platform. With that in mind, we have defined a set of policies to guide our external partners on properly reporting vulnerabilities. We welcome your input and appreciate your efforts to safeguard TikTok.

**

**Vulnerability Reporting Policy**

**

       •  For questions, concerns, or issues with your profile, please click here.  
       •  For questions, concerns, or issues with TikTok's privacy policy or fraud, please click here.  
       •  If someone is misusing your brand, contact us.

If you believe you have discovered a security bug or vulnerability on the TikTok app or website, please submit your report here. You will be redirected to the website of HackerOne, our trusted security bug bounty partner. HackerOne provides more information on submission guidelines and will allow you to submit a report.

TikTok follows a Coordinated Disclosure Policy. Please refer to the **Disclosure and Confidentiality Policy** defined in TikTok HackerOne Policy for more details.

**

**Guidelines**

**

  
Please visit the **Program Rules and Guidelines** section in TikTok HackerOne Policy for details.

**

**Frequently Asked Questions (FAQ)**

**

**What type of issues are considered security vulnerabilities and should be reported?**

Issues regarding technical security bugs affecting TikTok should be reported here. Issues include, but are not limited to the following:  
       •  XSS, CSRF, SSRF , SQL Injection, ROP, JOP, etc.       •  Leaked or hard coded sensitive credentials       •  Exploitable and dangerous APIs.  
       •  Control flow hijacking attacks  
       •  User data leaks  
       •  Issues listed in the OWASP Top Ten for Web Apps  
       •  Issues listed in the OWASP Top Ten for Mobile Apps  
       •  Authentication or authorization vulnerabilities  
       •  Access to internal TikTok resources like backend source code, database, etc.  
       •  Open redirect - if an additional security impact can be demonstrated  
       •  Anti-Automation security bypasses or lack of rate limiting on authenticated endpoints  
       •  Using the TikTok application for privilege escalation to attack the mobile operating system  
       •  Arbitrary code execution on TikTok servers/clients

**Is there a reward, bounty or CVE for confirmed vulnerabilities?**

Please visit **Rewards** & **Not Eligible for Reward** sections in TikTok HackerOne Policy for more details about bounty.

**How much time is needed before I can publish my findings?**

We request that security researchers follow the **Disclosure and Confidentiality Policy** defined in TikTok HackerOne Policy.

**Which web domains are within scope for TikTok?**

Please visit **In Scope** section in TikTok HackerOne Policy for details.

**How can I be notified that a security issue I've reported is being investigated?**

The security issues reported will be evaluated based on criticality and business priority and go through our investigation triage pipeline accordingly. We will keep you informed of the progress of the case to the best of our ability.

**Was this helpful?**

**Helpful links**

Creating an account

Setting up your profile

Creating a TikTok Video

CVE-2022-28799: Report security vulnerabilities | TikTok Help Center

LinkPlay Sound Bar v1.0 allows attackers to escalate privileges via a hardcoded password for the SSL certificate.

From: Lifeng Zhao <lifeng.zhao@linkplay.com> Sent: Sunday, December 12, 2021 5:03 PM To: Hidden Subject: Re: Security Vulnerability \*\*\* The Answer \*\*\* Hi Ohana, Thank you very much for your detailed report on the security vulnerability. It's super helpful and important to us. We'll take the immediate action to fix this. Thank you again for your great support. Best, Lifeng From: Hidden Date: 2021-12-12 21:24 To: security@linkplay.com Subject: Security Vulnerability \*\*\* The vulnerability \*\*\* Bug Type: Hard-coded secret key Impact: RCE, Supply chain attack Platforms: IOS + Android applications Our lab team has reviewed your product from a security perspective and noticed a few security issues that you should be aware of (technical details provided below). It is important to note that CyberArk Labs follow the security industry standard disclosure policy. We allow 90 days for the issues to be fixed/patched/mitigated. CyberArk Labs reserves the right to publicly disclose all information about the issues after this timeframe. We would be happy to share any additional information and to cooperate with you in mitigating the issue in a timely fashion. Summary: We can access an admin user in the Artifactory JFrog system, through which you can manage all the code of the applications and change it. As a result, we can change the application code across multiple tenants, ending with full RCE over every app. It is important to note, however, that both Android and IOS applications suffer from these vulnerabilities In details: We found the API key for admin and the password of the SSL client certificate have been hardcoded and stored on the application SoundBar (com.wifiaudio.Yamaha). To exploit this, you can add the API key to each request sent to the server. 1.Within the SoundBar application, we found the password of certificate\_new\_encrypted.p12 SSL certificate file. Using this certificate, we can communicate with the Soundbar device on port 443. Besides that, we found that the file is encoded with the XOR operator with the number 2. Therefore, it is simple to overcome the encoding. As a result, we can communicate with HTTPS requests with the device. 2. Also, we found that the application sends logs to the URL https://log.linkplay.com:8081/artifactory/Android/logs with the header "X-JFrog-Art-Api, and the API key AKCp5bB…. We discovered this API key is the key of the admin user in the system. This is a major security concern because every malicious user can access the JFrog artifactory with full admin access. In other words, a malicious user can corrupt the repository and cause clients to download malicious applications. 3.Moreover, we noticed that the JFROG version (6.2.0) is not up-to-date. The latest version is (7.10.2). Thus, it is vulnerable to the following CVEs: 1. CVE-2020-7931 2. From the frog website Lastly, we found the vulnerability (the admin API key) in many applications. Below are some links to several apps: ·https://play.google.com/store/apps/details?id=com.medion.speaker ·https://play.google.com/store/apps/details?id=com.wifiaudio.Yamaha ·https://play.google.com/store/apps/details?id=com.wifiaudio.triangle ·https://play.google.com/store/apps/details?id=com.wifiaudio.cavalier ·https://play.google.com/store/apps/details?id=com.wifiaudio.jam ·https://play.google.com/store/apps/details?id=com.wifiaudio.FABRIQ ·https://play.google.com/store/apps/details?id=com.zoundindustries.marshallvoice ·https://play.google.com/store/apps/details?id=com.dpiinc.ISBWV418B ·https://play.google.com/store/apps/details?id=com.ihome.ama ·https://play.google.com/store/apps/details?id=com.wifiaudio.iHome ·https://play.google.com/store/apps/details?id=com.wifiaudio.Creative

CVE-2022-28605: hardcoded on LinkPlay app

Responsive Online Blog v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at single.php.

Submitted by donbermoy on Thursday, February 4, 2021 - 10:41.

This is a **Responsive Online Blogging Site** using **PHP/MySQL** that I did in my previous years as a project to my client for his Thesis/Capstone Project. I may say that this is a responsive web application because it has a lot of features such as calculating the views coming from the guests, embedded a map, and many more features.

The online site has an admin panel where published blogs, categories, drafts, web details, links, editor's choice, and the admin stats. The admin can also post his desired blog of the day and well as managing it also.

Just like other **Blogging sites**, this project offers users to read blogs of various categories. From the admin panel, he/she can add categories, manage posts and delete categories. The layout is pretty similar to WordPress blogging theme. Here, the site administrator can add a number of posts according to the categories they want and the blogs can also be viewed by selecting a certain category. The design of this project is simple and the user won’t find it difficult to understand, use and navigate.

****Features****

**Admin**

*   **Manage Blog Categories**
*   **Manage Blogs**
*   **Manage Website Details**
*   **Manage Editors Choice Contents**
*   **Admin Statistic Report**

**Website**

*   **Mobile Responsive Design**
*   **Home Page**
*   **Blog List**
*   **Display Website Information**
*   **Author Registration**
*   **View Blog Content**

****How to Run****

Just follow all the instructions to run it smoothly.

**Requirements:**

*   **Download** and **Install** any **local web server** such as **XAMPP/WAMP.**
*   **Download** and **Extract** the provided source code **zip** file. (download button is located below)

**Installation**

*   **Open** your **XAMPP/WAMP's Control Panel** and start the **"Apache"** and **"MySQL"**.
*   If you using **XAMPP**, **copy** the extracted folder and **paste** it into the xampp's **"htdocs" directory** (C:\\xampp\\htdocs). And if you are using **WAMP**, **paste** it inside the **"www" directory**.
*   **Locate** the **SQL file** from the source code folder. The file is known as **"blog\_admin\_db.sql"** and located inside the **"databasefile" directory.**
*   **Open** a web browser and browse the **PHPMyAdmin**. (http://localhost/phpmyadmin)
*   **Create** a new **database** naming **"blog\_admin\_db"**.
*   **Import** the **SQL** file in your **newly created database**.
*   Open a web browser and browse the web application. **(http://localhost/resblog)**

**You can access this system using the following accounts**

*   Username: **admin**
*   Password: **admin**

**Installation DEMO**

That's it you can now test the Blog Site project. I hope this will help you with what you are looking for.

**Enjoy Coding :)**

**Engr. Lyndon R. Bermoy**  
IT Instructor/System Developer/Android Developer  
Mobile: 09079373999  
Telephone: 826-9296  
E-mail:\[email protected\]

Visit and like my page on Facebook at Bermz ISware Solutions

Subscribe to my YouTube Channel at SerBermz

Visit my website at CampCodes

*   28655 views

CVE-2022-29659: Responsive Online Blog Website using PHP/MySQL with Source Code

In Afian Filerun 20220202 Changing the "search_tika_path" variable to a custom (and previously uploaded) jar file results in remote code execution in the context of the webserver user.

CVE-2022-30470: FileRun - Selfhosted File Manager with Sharing and Backup for Photos, Docs & More

An issue was discovered in FlightRadar24 v8.9.0, v8.10.0, v8.10.2, v8.10.3, v8.10.4 for Android, allows attackers to cause unspecified consequences due to being able to decompile a local application and extract their API keys.

**CVE-2021–43512:**

An issue was discovered in FlightRadar24 v8.9.0, v8.10.0, v8.10.2, v8.10.3, v8.10.4 for Android, allows attackers to cause unspecified consequences due to being able to decompile a local application and extract their API keys.

The issue was discovered by **Janmejaya Swain**(https://www.linkedin.com/in/janmejayaswainofficial) which is me 😅 by the way. Now the issue has been fixed properly by application team.

I don't have permission to disclose that vulnerability. As that issue was very sensitive for that organization. So I’m not disclosing about that vulnerability.

CVE-2021-43512: Advisory of CVE-2021–43512 - Janmejaya Swain - Medium

The info-stealing trojan used SMS messages and lifted contact credentials to spread with unprecedented speed across Android devices globally since December 2020.

The info-stealing trojan used SMS messages and lifted contact credentials to spread with unprecedented speed across Android devices globally since December 2020.

International law enforcement has taken down the infrastructure behind Flubot, a nasty piece of malware which had been spreading with unprecedented speed across Android devices globally since December 2020.

Europol revealed Wednesday that a collaboration between law enforcement in 11 countries led to the disruption of the Flubot network in early May by Dutch Police, or Politie, “rendering this strain of malware inactive,” according to the agency.

Law enforcement authorities of Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands and the United States, coordinated by Europol’s European Cybercrime Centre (EC3), participated in the effort.

Specifically, EC3 teamed with national investigators in affected countries to establish a joint strategy and provided digital forensic support, as well as facilitated the exchange of operational information across various national entities, the agency said.

The international law-enforcement team will continue to seek the individuals behind the campaign, who are still at large, according to Europol.

****Spreading Like Wildfire****

Flubot spread via text messages that baited Android users into clicking on a link and installing an application to track to a package delivery or listen to a fake voicemail message. These malicious links installed the FluBot trojan, which then asked for permissions on the device that led to a variety of nefarious and fraudulent behavior.

While FluBot acted like a typical trojan—stealing various credentials to banking apps or cryptocurrency accounts and disabling built-in security–its operators used unique methods to ensure the malware spread like wildfire.

Once installed on a device, Flubot would access a user’s contact list and begin sending new messages to everyone on the list, creating a dynamic, viral effect that transcended time zones or regions, researchers from BitDefender observed in January.

“These threats survive because they come in waves with different messages and in different time zones,” they wrote in a report published at the time. “While the malware itself remains pretty static, the message used to carry it, the domains that host the droppers, and everything else is constantly changing.”

This feature is what allowed Flubot’s operators to quickly change targets and other malware features on the fly, which broadened their attack surface from geographical regions as disparate as New Zealand and Finland in a flash, researchers noted.

****Changing Tactics and Sharing Networks****

In addition to using targets’ own contact lists to propagate the malware, Flubot operators employed some unique and creative tactics to try to dupe Android users into downloading the trojan and even teamed up with another mobile threat during its global campaign.

Last October, Flubot used a fake security warning trying to trick users into thinking they’d already been infected with Flubot to get them to click on a fake security update spread via SMS. The unique tactic was used in a campaign against Android users in New Zealand.

Several months later in February of this year, Flubot hitched its infrastructure wagon up to another mobile threat known as Medusa, a mobile banking trojan that can gain near-complete control over a user’s device, researchers from ThreatFabric discovered. The partnership resulted in high-volume, side-by-side global malware campaigns.

Indeed, even with Flubot out of the picture, there are still a number of threats of which Android users need to be wary. An IoT malware that can exploit existing vulnerabilities dubbed “EnemyBot” recently emerged that’s targeting Android devices as well as content management systems and web servers.

Other pervasive threats such as the Joker fleeceware and malware that can conduct fraudulent transactions on an infected device such as Octo and Ermac also continue to pose a significant risk for Android users, according to a recent report on current mobile threats by ThreatFabric.

International Authorities Take Down Flubot Malware Network

A critical security flaw has been uncovered in UNISOC's smartphone chipset that could be potentially weaponized to disrupt a smartphone's radio communications through a malformed packet.
"Left unpatched, a hacker or a military unit can leverage such a vulnerability to neutralize communications in a specific location," Israeli cybersecurity company Check Point said in a report shared with The

A critical security flaw has been uncovered in UNISOC's smartphone chipset that could be potentially weaponized to disrupt a smartphone's radio communications through a malformed packet.

"Left unpatched, a hacker or a military unit can leverage such a vulnerability to neutralize communications in a specific location," Israeli cybersecurity company Check Point said in a report shared with The Hacker News. "The vulnerability is in the modem firmware, not in the Android OS itself."

UNISOC, a semiconductor company based in Shanghai, is the world's fourth-largest mobile processor manufacturer after Mediatek, Qualcomm, and Apple, accounting for 10% of all SoC shipments in Q3 2021, according to Counterpoint Research.

The now-patched issue has been assigned the identifier CVE-2022-20210 and is rated 9.4 out of 10 for severity on the CVSS vulnerability scoring system.

In a nutshell, the vulnerability — discovered following a reverse-engineering of UNISOC's LTE protocol stack implementation — relates to a case of buffer overflow vulnerability in the component that handles Non-Access Stratum (NAS) messages in the modem firmware, resulting in denial-of-service.

To mitigate the risk, it's recommended that users update their Android devices to the latest available software as and when it becomes available as part of Google's Android Security Bulletin for June 2022.

"An attacker could have used a radio station to send a malformed packet that would reset the modem, depriving the user of the possibility of communication," Check Point's Slava Makkaveev said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Critical UNISOC Chip Vulnerability Affects Millions of Android Smartphones

The threat actor known as SideWinder has added a new custom tool to its arsenal of malware that's being used in phishing attacks against Pakistani public and private sector entities.
"Phishing links in emails or posts that mimic legitimate notifications and services of government agencies and organizations in Pakistan are primary attack vectors of the gang," Singapore-headquartered cybersecurity

The threat actor known as SideWinder has added a new custom tool to its arsenal of malware that's being used in phishing attacks against Pakistani public and private sector entities.

"Phishing links in emails or posts that mimic legitimate notifications and services of government agencies and organizations in Pakistan are primary attack vectors of the gang," Singapore-headquartered cybersecurity company Group-IB said in a Wednesday report.

SideWinder, also tracked under the monikers Hardcore Nationalist, Rattlesnake, Razor Tiger, and T-APT-04, has been active since at least 2012 with a primary focus on Pakistan and other Central Asian countries like Afghanistan, Bangladesh, Nepal, Singapore, and Sri Lanka.

Last month, Kaspersky attributed to this group over 1,000 cyber attacks that took place in the past two years, while calling out its persistence and sophisticated obfuscation techniques.

The threat actor's modus operandi involves the use of spear-phishing emails to distribute malicious ZIP archives containing RTF or LNK files, which download an HTML Application (HTA) payload from a remote server.

This is achieved by embedding fraudulent links that are designed to mimic legitimate notifications and services of government agencies and organizations in Pakistan, with the group also setting up lookalike websites posing as government websites to harvest user credentials.

The custom tool identified by Group-IB, dubbed SideWinder.AntiBot.Script, acts as a traffic direction system diverting Pakistani users clicking on the phishing links to rogue domains.

Should a user whose client's IP address differs from Pakistan's tap on the link, the AntiBot script redirects to an authentic document located on a legitimate server, indicating an attempt to geofence its targets.

"The script checks the client browser environment and, based on several parameters, decides whether to issue a malicious file or redirect to a legitimate resource," the researchers said.

Of special mention is a phishing link that downloads a VPN application called Secure VPN ("com.securedata.vpn") from the official Google Play store in an attempt to impersonate the legitimate Secure VPN app ("com.securevpn.securevpn").

While the exact purpose of the fake VPN app remains unclear, this is not the first time SideWinder has sneaked past Google Play Store protections to publish rogue apps under the pretext of utility software.

In January 2020, Trend Micro detailed three malicious apps that were disguised as photography and file manager tools that leveraged a security flaw in Android (CVE-2019-2215) to gain root privileges as well as abuse accessibility service permissions to harvest sensitive information.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

SideWinder Hackers Use Fake Android VPN Apps to Target Pakistani Entities

By Deeba Ahmed
In this PoC, the ransomware attack dubbed R4IoT uses vulnerable IoT devices (in this case, vulnerable security cameras)…
This is a post from HackRead.com Read the original post: New PoC Shows IoT Devices Can Be Hacked to Install Ransomware on OT Networks

In this PoC, the ransomware attack dubbed R4IoT uses vulnerable IoT devices (in this case, vulnerable security cameras) to gain access, IT for traversal, and OT, particularly PLCs for detonation.

Ransomware has become a significant threat in the industrial sector, causing widespread operational disruption. A new proof-of-concept ransomware attack devised by Forescout Technologies has concerned the infosec community even more because of the dire consequences for OT security.

**Proof-of-Concept Research Reveals Next Generation of Ransomware**

Operational Technology (OT) and Industrial Control System (ICS) networks have become the targets of interest among ransomware operators. Vedere Labs of Forescout Technologies claim that their new proof-of-concept attack can have challenging OT and IoT security implications.

In this PoC, the ransomware attack dubbed R4IoT uses vulnerable IoT devices (in this case, vulnerable security cameras) to gain access, IT for traversal, and OT, particularly PLCs for detonation.

The attack involves exploiting a flawed IP camera to compromise the IT infrastructure to gain access and shut down the OT hardware of the organization. It is worth noting that no new exploits were used in the attack, and just pre-existing flaws were enough to compromise such critical systems.

According to Vedere Labs, the only attack scenario that combines the IT, IoT, and OT ransomware in a single PoC. Researchers also released a video demonstration of the attack.

**Attack Details**

In the demonstration video, the researchers can be seen compromising mainstream network-connected security cameras, mainly from Hikvision and Axis, as these vendors provide 77% of the IP cameras currently used in enterprise networks. In fact, Forescout revealed in its report that over half a million devices are under threat because of using the default VLAN1 configuration.

Therefore, any vulnerability can be used against these devices to access an inadequately protected enterprise network. The video shows that threat actors first exploit the camera’s flaws and then execute a command to access a Windows device and later execute more commands to locate other devices/machines attached to the same camera.

**PoC Video**

As it can be seen in the video above, a simulated ransomware attack is used against a fictional hospital, and the Forescout team accessed an IP camera to access the hospital’s network and camera and searched for a programmable logic controller that controlled the facility’s heating, ventilation, and air conditioning (HVAC) system, escalated privileges to install ransomware and shut the system down.

The attacker will look for devices having weak credentials to establish an SSH tunnel by opening remote desktop protocol ports. They can now open a remote desktop session, disable network firewalls/antivirus solutions, and install malware. They can also gain privilege escalation, install ransomware and cryptocurrency miners, or launch malicious executables at OT systems.

Nevertheless, the head of security research at Forescout Vedere Lab Daniel dos Santos stated that the primary objective behind the demonstration of this PoC was to indicate how vulnerable organizational security was regarding OT networks and to highlight the evolving dangers and scope of ransomware attacks.

**More IoT Vulnerability News**

*   DNS rebinding attack puts half a billion IoT devices at risk
*   BotenaGo botnet malware targeting millions of IoT devices
*   New malware found targeting IoT devices, Android TV globally
*   Millions of IoT devices, baby monitors open to audio, video snooping
*   IoT botnet of heaters & ovens can cause massive widespread power outages

New PoC Shows IoT Devices Can Be Hacked to Install Ransomware on OT Networks

Security researchers have described the malware as among the fastest-spreading mobile threats in recent years.

An international team of law-enforcement officials has successfully disrupted infrastructure associated with FluBot, an especially pernicious malware tool that threat actors have been using since at least December 2020 to steal passwords, bank account details, and other sensitive data from Android users.

Europol announced the takedown Wednesday, noting that FluBot's infrastructure was now under the control of law enforcement.

"An international law enforcement operation involving 11 countries has resulted in the takedown of one of the fastest-spreading mobile malware to date," Europol noted. "The investigation is ongoing to identify the individuals behind this global malware campaign."

Researchers first spotted FluBot (at that time referred to as Cabassous) targeting Android users in Spain in December 2020. Over the course of the next year, the malware spread like wildfire to what Europol described as a "huge number" of Android devices in multiple countries, including Germany, the UK, France, Finland, Australia, and New Zealand.

**A Fast-Spreading Viral Threat**

FluBot spreads via SMS phishing messages (smishing) that use various pretexts to try and get recipients to click on a link for downloading the malware to their smartphones. In the early days of the malware, the SMS messages purported to be from delivery companies such as FedEx and DHL attempting to drop off a package. Users who were tricked into clicking on the link — ostensibly to reschedule delivery — ended up with the malware, disguised as a mobile app from the delivery company, downloaded to their Android devices.

Once installed, the malware seeks specific access privileges on the device that, if granted, it would use to steal payment-card data, bank account information, and other sensitive data. The malware was also designed to intercept and read text messages, open pages, disable Google Play Protect, and uninstall various apps from an infected device.

In addition, FluBot copies the infected device owner's contact list and sent SMS messages with infected links to all the numbers — a factor that likely contributed to its rapid spread, according to security vendor Bitdefender. The authors of the malware likely sold it as a service to different threat actors, too, contributing to its viral spread.

Over the course of 2021, threat actors used different SMS messages to try and trick users to click on the malicious link, including one that purported to be from a friend wanting to share a photo and another that tried to get users to listen to a fake voicemail message. Researchers from Bitdefender even observed attackers sending SMS phishing messages that ironically enough warned recipients about their devices being infected with FluBot and to take remedial action by clicking on the message link. In a report this January, Bitdefender identified Australia as the country most hit by FluBot, followed by Germany, Poland, Spain, and Austria.

Researchers from Proofpoint who tracked FluBot last year reported observing FluBot SMS messages in both English and German. The vendor said it had identified more than 700 unique domains that FluBot actors used for the English-language campaign alone.

**Android Threats Continue to Surge**

The FluBot takedown eliminates — temporarily — one of the biggest threats to Android device users in recent years. However, numerous other similar malware tools in the wild continue to present a serious threat. A recent report from ThreatFabric identified a continued increase in Android malware families such as Joker that enable fraudulent transactions being initiated from an infected device. Other examples include Alien, Cerberus, Hydra, and Octo.

The increase in Android malware families has also been accompanied by an increase in the number of malware droppers disguised as legitimate apps on Google's official Play mobile app store, ThreatFabric said. Among them is an app called NanoCleaner, which has been downloaded more than 10,000 times. In actuality, NanoCleaner is a dropper for Hydra.

Similarly, another app called Pocket Screencaster, with more than 10,000 installs, is a dropper for Octo, and another called Fast Cleaner, with more than 50,000 installs, is really a dropper for Alien and Octo.

"Threat actors continue to consider droppers on Google Play as one of the most effective ways to deliver malware to victims," ThreatFabric said.

Tag

#android