News about USPS suspending shipments from China and Hong Kong may give scammers some ideas to defraud consumers

I would be the last one to provide scammers with good ideas, but as a security provider, sometimes we need to think like criminals to stay ahead in the race.

Recently, the US Postal Service (USPS) announced that it would suspend inbound packages from China and Hong Kong until further notice. That further notice, it turned out, was very short indeed, with the USPS announcing on February 5 that the interruption in service would itself be disrupted—packages were once again approved to enter the country. But the whiplash announcements, the second of which was dropped with little fanfare, have caused confusion.

So, there is an opportunity for scammers to exploit that confusion and uncertainty. Let me spell out how:

*   Scammers could send messages about refunds based on packages that could not be sent.
*   A revival of the old “Your package could not be delivered” scam could spring up.
*   Phishers could send messages about goods that were rerouted through other countries.
*   Goods—including counterfeit—could be offered for sale at “pre-tariff” rates.
*   Malicious messages could claim to arrive from the shipper, the e-commerce platform, or Customs, asking for additional information to get a package released.
*   Cybercriminals may set up fake USPS sites—as they have done in the past—to intercept searches for Track & Trace information.

Scammers are always looking to make money over other people’s backs. They will usually enter some kind of urgency into their messaging, like a time before which you have to respond. This is a good indicator because they don’t want you to think things through before you act.

**How can you stay safe?**

It’s best not to respond to any of these attempts, to avoid letting scammers know that someone is reading their attempts. It will likely cause an increase in spam and other attempts.

Depending on how the scam reaches you and what it is after, there are several ways to stay safe.

*   Use a solution that offers text protection and text message filtering.
*   Do not click on unsolicited links or open unsolicited attachments.
*   Do not trust that sponsored ads lead to the legitimate company, we are seeing too many fakes.
*   Do not trust links that use URL-shorteners, or at least unshorten the link before following it. The same is true for QR codes which are basically URLs in a different shape.
*   Doublecheck the source of messages through a trusted way of communication with the shipper, e-commerce platform, or customs.

And please report fraud attempts with the Internet Crime Complaint Center (IC3), so others can be warned about common scams.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 New scams could abuse brief USPS suspension of inbound packages from China, Hong Kong 

**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

133.0.3065.51

2/6/2025

133.0.6943.53/54

CVE-2025-21253: Microsoft Edge for IOS and Android Spoofing Vulnerability

Cheap banking scams are often easier to pull off in a country with older devices, fewer regulations, and experienced fraudsters.

Source: Jayant Bahel via Alamy Stock Photo

A series of fake banking apps are making the rounds in India, mimicking trusted institutions to steal credentials and, ultimately, money.

The scale of the campaign is impressive, featuring nearly 900 different malware samples tied to around 1,000 different phone numbers used to perpetrate the fraud. Researchers from Zimperium observed all those malware couched in apps that mimic billion-dollar financial institutions, designed to target regular people across India.

**Banking Fraud in East India**

Across India, regular people have been receiving WhatsApp messages carrying malicious Android Package Kit (APK) files. Once downloaded, these APKs open into fake apps mimicking one of more than a dozen banks, including most of the largest in India: HDFC Bank, ICICI Bank, the State Bank of India (SBL), and others.

Source: Zimperium

The apps ask victims to submit their most sensitive financial information, including their mobile banking credentials, credit and debit card numbers, ATM PINs, Permanent Account Number (PAN) Card — used for various financial and government purposes, like paying taxes or opening a bank account — and Aadhar Card, and equivalent to a Social Security number (SSN).

To allow the attackers to log into victims' bank accounts, the malware intercepts one-time passwords sent via SMS, and redirects them either to an attacker-controlled phone number, or a command-and-control (C2) server running on Firebase.

Related:Russian APT Phishes Kazakh Gov't for Strategic Intel

The malware also sports stealth and anti-analysis measures, like "packing," where the malware is compressed, encrypted, and obfuscated to the point of illegibility. It can install itself invisibly by taking advantage of accessibility services, and obtain all conceivable permissions on users' devices by simply prodding a user to thoughtlessly hit "Allow" when it asks nicely.

"Since you don't see the app, it's not easy to uninstall it," explains Nico Chiaraviglio, chief scientist at Zimperium. "And then you \[have to deal with the\] higher permissions. So if you want to uninstall the app, the device will say you cannot install it because it's a system app. You basically need to connect the phone to a computer and uninstall it using the Android Debug Bridge (ADB). It's not something that you can do from a regular user's standpoint."

**Why Fraud Works in India**

Phone numbers tied to the campaign lovingly named "FatBoyPanel" have tended to concentrate in eastern states: West Bengal (30.2%), Bihar (22.6%), Jharkjand (10%).

That FatBoyPanel seems to be going so well, Chiaraviglio thinks, comes down to a couple of obvious factors. First: older, outdated phones are common in East India, and, "If you want to run some sort of exploit, it's easier to do on older devices," he says.

Related:Chinese APT Group Is Ransacking Japan's Secrets

"It's also widely known that there are a lot of scammers in India," he adds. In this campaign, "They are targeting some specific apps, and this basically tells you that the attackers are Indians, and that they know the market that they are working in."

One thing surprised him, he says: "We publish a report every year on banking Trojans, and we see most of them targeting many different countries at the same time. It's very uncommon that we see a campaign that is only targeting one country."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Basket of Bank Trojans Defraud Citizens of East India

A banking malware campaign using live phone numbers to redirect SMS messages has been identified by the zLabs research team, uncovering 1,000+ malicious apps and 2.5GB of exposed data.

Mobile devices have become a prime target for financial fraud, as the availability of digital payments and interception of OTPs (one-time passwords) for authentication make them vulnerable. Threat actors’ latest targets are Indian bank users, forced to reveal sensitive financial/personal data in a sophisticated mobile malware campaign, uncovered by the Zimperium zLabs research team. 

According to the company, banking trojans are targeting Indian banks and government institutions, and live phone numbers are used to intercept and redirect SMS messages, putting sensitive data at risk. This campaign is believed to be the work of a single threat actor and targets mobile devices running the Android OS. The researchers have dubbed the actor as “FatBoyPanel.”

This “coordinated effort” utilizes over 1,000 malicious Android applications designed to steal financial and personal data, researchers noted in the blog post shared with Hackread.com ahead of publishing on Wednesday. 

These apps, disguised as legitimate banking and government tools, are distributed primarily through WhatsApp. Victims are tricked into revealing Aadhaar and PAN card details, ATM PINs, and mobile banking credentials.

The most frequently impersonated banks are:

*   ICICI: 15.2%
*   SBI: 10.5%
*   RBL: 11.9%
*   PNB: 12.9%

Unlike traditional malware campaigns, this one employs a more innovative approach towards OTP theft. As observed by Zimperium researchers, instead of relying solely on command-and-control servers, the malware intercepts and redirects SMS messages in real-time using live phone numbers.  This method, however, leaves a traceable digital trail and may aid law enforcement in identifying the perpetrators.  

ZLas researchers have identified around 900 malware samples and approximately 1,000 phone numbers involved in this operation. Around 63% of these numbers were registered in West Bengal, Bihar, and Jharkhand.

*   Bihar: 22.6% of victims
*   Jharkhand: 10.0% of victims
*   West Bengal: 30.2% of victims

The scope of this campaign is substantial.  Analysis of the malicious apps reveals shared code, user interface elements, and app logos, indicating a centralized operation.  Furthermore, researchers discovered over 222 unprotected Firebase storage buckets containing 2.5 gigabytes of stolen data.  This exposed information, including bank details, card information, government IDs, and SMS messages, affects an estimated 50,000 victims.

The phishing UI used within the app to steal sensitive information, along with the admin dashboard view of the C&C servers managed by the threat actors (Via Zimperium zLabs)

The malware operates in three distinct variants: SMS Forwarding, Firebase-Exfiltration, and a Hybrid approach.  All variants intercept and exfiltrate SMS messages, including OTPs, enabling unauthorized transactions.  Evasion techniques include hiding its icon, resisting uninstallation, and using code obfuscation and packing.  

The top sources of distribution of SMS messages based on their sender are:

*   Jio Payments: 47.4%
*   Airtel Payments Bank: 18.5%

Hardcoded phone numbers within the malware and the Firebase endpoints act as exfiltration points for stolen data. The administrative dashboard for this platform even contained a “WhatsApp Admin” button, suggesting a multi-user environment and facilitating direct communication among the threat actors.

To protect yourself from mobile malware, download apps from official app stores and avoid downloading APK files from websites, messaging apps or untrusted sources. Verify app details before installing and avoid apps that request excessive permissions for a secure mobile experience.

Banking Malware Uses Live Numbers to Hijack OTPs, Targeting 50,000 Victims

Organizations and development teams need to evolve from "being prepared" to "managing the risk" of security breaches.

Kirsten Newcomer, Director, Cloud and DevSecOps Strategy, Red Hat

February 4, 2025

4 Min Read

Source: RTimages via Alamy Stock Photo

COMMENTARY

It's a perfect storm: The cost of a data breach is rising, known cyberattacks are becoming more frequent, security expertise is in short supply, and the demand for connectedness — to deliver and act on even the most sensitive of data across all devices, and all the way to the network edge — is unyielding. A recent example that affects anyone who texts between Android and iPhone devices is the Salt Typhoon attack. Meanwhile, industry and government regulations are tightening, demanding stricter proof of security measures and faster reporting of breaches, raising the stakes for "getting it wrong."

In its most recent analysis, Verizon Business found that organizations take an average of 55 days to remediate 50% of critical vulnerabilities listed in the Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog. Unfortunately, cybercriminals respond far more quickly, with mass exploitations of the CISA KEV appearing on the Internet within a median of five days. 

That's why organizations and development teams must evolve from "being prepared" to "managing the risk" of security breaches.

Vulnerability risk management is not a new concept, but I am noticing that organizations are attempting to manage risk in one of two ways — by setting up guardrails (proactive) or patching (reactive). Neither is optimal.

The key is to balance the two, highlighting the critical importance of adopting a DevSecOps approach. "DevSec" solutions are focused on shifting security left by integrating security gates into the continuous integration and continuous delivery (CI/CD) pipeline. "SecOps" solutions are focused on detecting and responding to threats in the runtime environment. 

Here's a look at the challenges to each approach.

**The Vulnerability Patching Approach**

On its face, patching sounds simple enough: When a software vulnerability is revealed, patch it. However, that assumes that developers and security teams have the resources to quickly monitor for issues, create or identify patches, and then test and apply those patches — before cyberattackers can take advantage of the vulnerabilities themselves. 

AI will eventually help developers more efficiently identify vulnerabilities, but we're not at that point yet. Right now, AI and the demand for AI-enabled applications is only adding to the potential for unidentified vulnerabilities. AI code generation tools increase the likelihood of introducing hard-to-trace snippets of code from unidentified sources. While many of today's vulnerability scanners rely on identifying code packages rather than code snippets. 

**The Guardrails Approach**

The guardrails approach is more nuanced than the vulnerability patching approach, but it comes with its own set of challenges.

While organizations that focus on the patching approach take a more reactive stance, the guardrails approach is grounded in proactive protection and mitigating controls. These include:

*   Reducing the attack surface across the stack
    
*   Working toward continuous hardening and compliance improvement
    
*   Securing the application CI/CD pipeline using best practices, such as those recommended in slsa.dev: identifying provenance, hardening builds, verifying artifacts
    
*   Implementing automated, policy-based promotion and admission controls to ensure that applications have production-ready security before being deployed to production systems
    
*   Application of data protection controls such as encryption
    

*   Use of zones of control (fencing communications with network and API security controls) and microsegmentation
    
*   Prioritizing the use of Linux security solutions, such as SELinux and secure computing profiles (seccomp), as well as features focused on securing containers such as user namespaces and cgroupsv2
    

All of these strategies are highly effective; however, it's often challenging for organizations to integrate these and other guardrails into their infrastructure. It is even more challenging to harden existing application pipelines. Striking the balance between security and innovation has gotten more difficult as pressure to improve security increases from all sides and the impact of a security breach reverberates up and down the supply chain.

**Creating a Balanced Approach to Software Risk Management**

Used together, patching and guardrails can help organizations maintain a balance between efficient vulnerability management and proactive security monitoring and management. 

Organizations should assess risk based on key factors for their business, including what mitigating controls they have in place in the runtime environment. While the Common Vulnerability Scoring System, with Base Metrics and Temporal and Environmental Metrics, offers some indication of the level of risk a known vulnerability creates, this data does not and cannot account for the specific context of a deployed application. Organizations need to account for additional factors such as external exposure and mitigating controls.

Using open source can help, since the community is committed to transparency and clear communication about newly discovered vulnerabilities and how to get fixes for them. In fact, in addition to prioritizing the use of open source, organizations should take their cue from the open source community and establish their own processes for sharing detailed information about identified vulnerabilities — internally but also with partners and vendors following principles of responsible disclosure. 

Responsible disclosure and open data are critical for customers and communities to fully understand the vulnerabilities that may impact them, as well as to ensure that the data necessary to make appropriate, informed decisions is widely available.

Offering multiple remediation options, such as software updates and/or patches, and automated guardrails at all stages of the application life cycle including CI/CD and runtime mitigations, provides flexibility in addressing vulnerabilities across diverse environments. By combining these elements, organizations can create a comprehensive vulnerability risk management program that effectively mitigates security risks across their entire IT infrastructure.

**About the Author**

Director, Cloud and DevSecOps Strategy, Red Hat

Kirsten Newcomer works closely with Red Hat’s many security professionals across the Red Hat portfolio of open source offerings. She is a diversified software management professional with more than 20 years of experience in security, application development, and infrastructure solutions. Prior to joining Red Hat, Kirsten provided strategic direction for Black Duck’s open source security and governance solutions.

Managing Software Risk in a World of Exploding Vulnerabilities

Google has shipped patches to address 47 security flaws in its Android operating system, including one it said has come under active exploitation in the wild.
The vulnerability in question is CVE-2024-53104 (CVSS score: 7.8), which has been described as a case of privilege escalation in a kernel component known as the USB Video Class (UVC) driver.
Successful exploitation of the flaw could lead

Google Patches 47 Android Security Flaws, Including Actively Exploited CVE-2024-53104

Though Windows, iOS, and macOS users won't need to make any changes, Android users are advised to remove their Defender VPN profiles.

Source: CryptoFX via Alamy Stock Photo

NEWS BRIEF

Microsoft is notifying users that it will no longer support the Privacy Protection VPN feature within the Microsoft Defender app. The feature will be removed on Feb. 28.

Microsoft Defender checks files or apps downloaded and installed on a device for any malicious software, as well as runs scans of files already on a system. It works alongside third-party anti-malware solutions and is included as part of a Microsoft 365 Personal or Family subscription.

Microsoft plans to eliminate only the VPN feature and will still provide device protection, identity theft monitoring, and credit monitoring in the US.

The support update document announcing the change did not have a lot of detail but stated that removing the privacy protection benefit will allow the company to "invest in new areas that will better align to customer needs." The document also notes the company routinely evaluates the effectiveness of its features.

Though Windows, iOS, and macOS users won't have to take any action, Microsoft provided instructions for Android users to follow because the VPN profile must be removed from devices manually.

"Not removing the Defender VPN profile on your Android device will not cause any impact to your device but it's recommended to remove it as it won't be used by Defender to provide protection," Microsoft stated.

Android users can follow the steps below to remove their Defender VPN profiles:

3.  Users should see a "Microsoft Defender" VPN profile in the list of VPN profiles if they've onboarded to privacy protection.
    
4.  Click on the "Info" icon and remove the profile.
    

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Microsoft Sets End Date for Defender VPN

WhatsApp has accused professional spyware company Paragon of spying on a select group of users.

WhatsApp has accused the professional spyware company Paragon of spying on a select group of users.

WhatsApp, the Meta-owned, end-to-end encrypted messaging platform, said it has reliable information that nearly 100 journalists and other “members of civil society” were targets of a spyware campaign conducted by the Israeli spyware company.

“Members of civil society” usually refers to individuals and organizations that operate independently from government and business sectors, often those advocating for public interests, influencing policy, or holding governments accountable.

In a statement, a WhatsApp spokesperson said:

> “This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately”

Many such targets use WhatsApp because they rely on the end-to-end encryption (E2EE) that it offers by default to safeguard communications, protect sources, and shield sensitive information from prying eyes.

The targets were spread over two dozen countries, including several in Europe. WhatsApp notified the possibly affected accounts through its own app. The platform has the ability notify users about sensitive matters directly via a WhatsApp chat. In such a case, the chat will include a system message at the top of the chat that verifies that it originates from the official account of WhatsApp Support, and there will be a blue checkmark next to WhatsApp Support at the top of the chat.

A spokesperson stated that WhatsApp was able to identify and block the attack vector which Paragon used in these attacks. Reportedly, the hacking campaign used malicious PDFs sent via WhatsApp groups to compromise targets. The attack apparently required no action from the target, a so-called zero-click attack.

Researchers have often compared Paragon’s Graphite spyware to the Pegasus spyware, a deeply invasive tool developed by a company called NSO that WhatsApp has been fighting in court since 2019. But up until now, Paragon was able to keep a low profile. This is the first time that Paragon has been publicly linked to a hacking campaign that allegedly targeted journalists and members of civil society.

WhatsApp has sent Paragon Solutions a cease-and-desist letter following the series of attempted attacks. Meta also notified Canadian privacy watchdog Citizen Lab. Citizen Lab’s researcher John Scott-Railton says they observed this campaign and have started an investigation.

The attacks reportedly took place in December 2024. If you are a potential target and you received a suspicious PDF you can reach out to Citizen Lab or the non-profit digital security helpline AccessNow.

If you received a WhatsApp notification about the attack, you can contact WhatsApp Support in-app by clicking here.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 WhatsApp says Paragon is spying on specific users 

Google said it blocked over 2.36 million policy-violating Android apps from being published to the Google Play app marketplace in 2024 and banned more than 158,000 bad developer accounts that attempted to publish such harmful apps.
The tech giant also noted it prevented 1.3 million apps from getting excessive or unnecessary access to sensitive user data during the time period by working with

Google Bans 158,000 Malicious Android App Developer Accounts in 2024

Apple has released a host of security updates for iOS, iPadOS, Mac, Apple Watch, and Apple TV. Update as soon as you can.

Apple has released a host of security updates across many devices, including for a zero-day bug which is being actively exploited in iOS.

Apple said:

> “A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2.”

Devices affected are those that run:

*   iPhone XS and later
*   iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
*   macOS Sequoia
*   Apple Watch Series 6 and later
*   All models of Apple TV HD and Apple TV 4K

If you use any of these then you should install updates as soon as you can. To check if you’re using the latest software version, go to **Settings** (or **System Settings**) > **General** \> **Software Update**. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

**Technical details about the zero-day**

The zero-day vulnerability patched in this update is tracked as CVE-2025-24085. It is described as a use after free (UAF) issue in Apple’s Core Media framework that would allow an attacker to elevate privileges.

The Core Media framework handles multimedia applications like photos, videos, and real-time communication applications. UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, successful exploitation could provide a malicious app with privileges on the affected device that it shouldn’t have.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#android