David Blanc

Critical MediaTek Vulnerability Lets Attackers Steal Android Phone PINs in 45 Seconds A critical vulnerability in the MediaTek Dimensity 7300 chipset allows a physical attacker to extract device PINs , decrypt on-device storage, and steal cryptocurrency wallet seed phrases in approximately 45 seconds, raising serious alarms for the roughly 25% of Android users whose devices rely on the affected chip. The vulnerability uncovered by Ledger’s Donjon security research team resides in the Boot ROM of the MediaTek Dimensity 7300 (also known as MT6878) chip the very first code that executes when the device powers on, running at the highest possible hardware privilege level (EL3) before Android ever loads. @DonjonLedger has struck again discovering a MediaTek vulnerability potentially impacting millions of Android phones. Another reminder that smartphones aren’t built for security. Even when powered off, user data – including pins & seeds – can be extracted in under a minute. — Charles Guillemet (@P3b7_) March 11, 2026 Because Boot ROM is permanently hard-coded into the processor’s silicon, the core hardware flaw cannot be eliminated through software patches. Ledger’s researchers exploited this weakness using Electromagnetic Fault Injection (EMFI), a technique that delivers precisely timed electromagnetic pulses to the chip during boot-up to corrupt its execution flow. By connecting to the device over USB and repeatedly triggering boot cycles while injecting faults, attackers can bypass all security layers and achieve arbitrary code execution at the chip’s highest privilege level without ever launching the Android operating system. Proof-of-Concept: Nothing CMF Phone 1 Ledger demonstrated the attack on a Nothing CMF Phone 1 connected to a laptop via USB cable. The team breached the phone’s foundational security layer within 45 seconds, successfully recovering the device PIN, decrypting storage, and extracting seed phrases from multiple software crypto wallets. Affected applications confirmed in testing include Trust Wallet, Kraken Wallet, Phantom, Base, Rabby, and Tangem’s Mobile Wallet, among others. The Ledger Donjon plugged a Nothing CMF Phone 1 into a laptop and breached the phone’s foundational security within 45 seconds. This has the potential to affect millions of Android smartphones using Trustonic’s TEE and MediaTek processors. — Charles Guillemet (@P3b7_) March 11, 2026 Although the per-attempt success rate is relatively low, the attack is practical because the process can be automated and repeated rapidly until a successful fault injection occurs. Ledger’s research, which began in February 2025, achieved arbitrary code execution in early May 2025 before responsible disclosure was initiated with MediaTek’s security team. The vulnerability affects Android phones using the MediaTek Dimensity 7300 chip in combination with the Trustonic Trusted Execution Environment (TEE), potentially impacting approximately 25% of Android devices globally. Budget and mid-range smartphone brands confirmed in the affected device pool include Realme, Motorola, Oppo, Vivo, Nothing, and Tecno. The Solana Seeker crypto-focused smartphone also uses the same chipset. MediaTek’s Response and Patch Status Following Ledger’s responsible disclosure, MediaTek released a security patch in January 2026 and notified all affected OEM vendors. However, because the root cause is a hardware-level Boot ROM flaw, the patch only mitigates exploitation pathways rather than eliminating the underlying silicon vulnerability. MediaTek previously stated that EMFI attacks are considered out of scope for the MT6878 chipset’s intended consumer use case. Ledger’s CTO, Charles Guillemet, warned that smartphones are not meant to function as secure vaults for sensitive information. He advised users to apply security patches but emphasized the risks of storing private keys and seed phrases on regular devices. Guillemet recommended transferring sensitive cryptocurrency assets to dedicated hardware wallets with certified security features, highlighting the gap between smartphone security and the needs of digital asset custody. Follow us on Google News , LinkedIn , and X for daily cybersecurity updates. Contact us to feature your stories. The post Critical MediaTek Vulnerability Lets Attackers Steal Android Phone PINs in 45 Seconds appeared first on Cyber Security News .

Critical MediaTek Vulnerability Lets Attackers Steal Android Phone PINs in 45 Seconds

TaxiSpy RAT: New Android Banking Trojan Targets Russian Financial Sector Cyfirma uncovers the RuTaxi Android banking Trojan, a highly persistent malware using VNC capabilities to hijack Russian bank accounts and crypto wallets.

TaxiSpy RAT: New Android Banking Trojan Targets Russian Financial Sector

New PixRevolution Malware Steals Brazil’s PIX Transfers in Real Time New PixRevolution Android malware hijacks Brazil’s PIX transfers in real time, showing fake loading screens while attackers replace payment details.

New PixRevolution Android malware hijacks Brazil’s PIX transfers in real time, showing fake loading screens while attackers replace payment details.

Read: hackread.com/pixrevolutio...

#CyberSecurity #Android #PixRevolution #Malware #Brazil

Apple patches older iPhones and iPads against Coruna exploits ​Apple has released security updates to patch older iPhones and iPads against a set of vulnerabilities targeted in cyberespionage and crypto-theft attacks using the Coruna exploit kit.

​Apple has released security updates to patch older iPhones and iPads against a set of vulnerabilities targeted in cyberespionage and crypto-theft attacks using the Coruna exploit kit.

Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

New BeatBanker Android Trojan Uses Silent Audio Loop to Steal Crypto BeatBanker Android Trojan spreads via fake Google Play Store pages, using a silent audio loop to stay active while stealing crypto, banking data, and login credentials.

Meet #BeatBanker, a new Android Trojan that spreads through fake Google Play Store pages, and uses a silent audio loop to stay active while stealing cryptocurrency and banking data.

Read: hackread.com/beatbanker-a...

#CyberSecurity #Android #Malware #Crypto

BeatBanker and BTMOB trojans: infection techniques and how to stay safe How to protect yourself from the BeatBanker Android trojan, which steals cryptocurrency, hijacks your hardware for crypto mining, and swipes all your data.

BeatBanker and BTMOB trojans: infection techniques and how to stay safe | Kaspersky official blog

A GitHub Issue Title Compromised 4,000 Developer Machines A prompt injection in a GitHub issue triggered a chain reaction that ended with 4,000 developers getting OpenClaw installed without consent. The attack composes well-understood vulnerabilities into so...

"The new pattern: AI installs AI"
grith.ai/blog/clineje...

iPhone Exploit Toolkit Used by Russian Spies Likely Originated from U.S. Contractor A powerful iPhone exploit kit named “Coruna,” initially created for Western intelligence by U.S. contractor L3Harris, has fallen into the hands of Russian spies and Chinese cybercriminals.​ The Coruna toolkit features 23 different hacking components designed to compromise Apple iPhones. Trenchant originally built it, the hacking division of U.S. military contractor L3Harris, for use by the United States and its Five Eyes intelligence allies.​ However, the toolkit leaked when Peter Williams, a former Trenchant general manager, acted as an insider threat and stole eight of the company’s tools. From 2022 to 2025, Williams sold these exploits for $1.3 million to Operation Zero, a sanctioned Russian exploit broker. After acquiring the stolen tools, Operation Zero allegedly resold the spyware to unauthorized users . This allowed a Russian espionage group, identified by Google as UNC6353, to deploy Coruna in targeted watering-hole attacks against Ukrainian iPhone users. The sophisticated toolkit later changed hands again, eventually falling into the hands of Chinese cybercriminal gangs that launched broad-scale campaigns to steal money and cryptocurrency from unsuspecting victims .​ Exploits and Operation Triangulation Google and security firm iVerify confirmed that Coruna targets iPhone models running iOS 13 through 17.2.1. The toolkit shares striking similarities with Operation Triangulation, a complex iPhone hacking campaign exposed by Kaspersky in 2023. Specifically, Coruna reused two major internal exploits, Photon and Gallium, which were deployed as zero-day vulnerabilities in the Triangulation attacks. Security researchers tied these specific Coruna exploit names to known iOS vulnerabilities. “Photon” is linked to CVE-2023-32434 and is described as a privilege-escalation flaw involving an integer overflow in memory mapping, affecting iOS versions 14.5 to 15.7.6. “Gallium” is linked to CVE-2023-38606 and is a hardware-focused weakness used to bypass Apple’s Page Protection Layer (PPL) , affecting iOS versions spanning roughly iOS 14.x through 16.6. As noted by independent security researcher Costin Raiu and highlighted by TechCrunch , the bird-themed internal names of Coruna’s modules, such as Cassowary and Sparrow, match the naming conventions of L3Harris’s hacking units. Furthermore, Kaspersky’s custom logo for Operation Triangulation closely resembles the geometric L3Harris logo, subtly hinting at the contractor’s involvement. While the exact path the exploits took remains murky, the leak highlights the severe risks when nation-state cyberweapons fall into the criminal underground. Follow us on Google News , LinkedIn , and X for daily cybersecurity updates. Contact us to feature your stories. The post iPhone Exploit Toolkit Used by Russian Spies Likely Originated from U.S. Contractor appeared first on Cyber Security News .

iPhone Exploit Toolkit Used by Russian Spies Likely Originated from U.S. Contractor

Predator spyware hooks iOS SpringBoard to hide mic, camera activity Intellexa's Predator spyware can hide iOS recording indicators while secretly streaming camera and microphone feeds to its operators.

Predator spyware hooks iOS SpringBoard to hide mic, camera activity

Extracting IPA from a Non-Jailbroken iOS Device with Apple Configurator Hello everyone. During mobile application assessments, we often need the IPA file for static analysis. However, on iOS 18+ devices, many…

Extracting IPA from a Non-Jailbroken iOS Device with Apple Configurator

Supply Chain Attack Embeds Malware in Android Devices Keenadu downloads payloads that hijack browser searches, commit ad fraud, and execute other actions without user knowledge.

Supply Chain Attack Embeds Malware in Android Devices

New ZeroDayRAT Mobile Spyware Enables Real-Time Surveillance and Data Theft

New ZeroDayRAT Mobile Spyware Enables Real-Time Surveillance and Data Theft

iOS 26.4 has iPhone Stolen Device Protection on by default Three years after the feature rolled out, Apple is automatically enabling Stolen Device Protection in iOS 26.4, expanding safeguards against an ever-expanding epidemic of iPhone theft.

Three years after the feature rolled out, Apple is automatically enabling Stolen Device Protection in iOS 26.4, expanding safeguards against an ever-expanding epidemic of iPhone theft.

Apple Tests End-to-End Encrypted RCS Messaging in iOS 26.4 Developer Beta

Apple Tests End-to-End Encrypted RCS Messaging in iOS 26.4 Developer Beta

Apple Fixes Exploited Zero-Day Affecting iOS, macOS, and Apple Devices

Apple Fixes Exploited Zero-Day Affecting iOS, macOS, and Apple Devices

Android 16 is on 7.5% of devices in latest distribution numbers update Google has updated Android’s distribution numbers again, this time revealing that Android 16 is already on 7.5% of devices, with...

Ouch, looks like 42% of all Android devices are running a version that is outdated and no longer receives patches. And only 7.5% are on the current release.

9to5google.com/2026/01/30/a...

AI Hub Hijacked: Polymorphic Android RAT Abuses Hugging Face to Steal Data AI Hub Hijacked: Polymorphic Android RAT Abuses Hugging Face to Steal Data In a troubling convergence of trusted developer infrastructure and cybercrime, Bitdefender researchers have uncovered a sophisticated Android Remote Access Trojan (RAT) campaign that is turning the po ... Read more Published Date: Feb 04, 2026 (1 hour, 7 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-25137 CVE-2026-24858 CVE-2026-21509 CVE-2026-20045 CVE-2024-43093

AI Hub Hijacked: Polymorphic Android RAT Abuses Hugging Face to Steal Data

Malicious App on The Google Play with 50K+ Downloads Deploy Anatsa Banking Malware A dangerous banking malware called Anatsa has been discovered spreading through the Google Play Store, reaching more than fifty thousand downloads before detection. The malicious application was cleverly hidden as a document reader, making it appear harmless to unsuspecting users searching for legitimate file management tools. This discovery highlights how cybercriminals continue to exploit official app stores as distribution channels for sophisticated financial threats targeting Android users worldwide. The Anatsa banking trojan is particularly concerning because it specifically targets banking credentials and sensitive financial information from infected devices. The malware operates as an installer that downloads and deploys the full Anatsa banking trojan payload once the initial application gains access to a device. Users who downloaded and installed this fake document reader application unknowingly gave the malware permission to operate with elevated access, creating a gateway for financial theft and personal data extraction . The distribution method through Google’s official marketplace made this attack particularly effective, as users typically trust applications found on authorized platforms. This represents a significant breach in app store security screening processes, demonstrating how malicious developers continue to evade detection systems. Zscaler ThreatLabz analysts identified this malicious application and immediately began tracking its distribution network and associated command-and-control infrastructure. The security researchers confirmed the malware’s connection to banking theft operations and provided detailed technical indicators to help other security teams detect infected devices. ThreatLabz has identified another malicious app on the Google Play Store disguised as a document reader. The app currently has over 50K downloads and serves as an installer for the Anatsa banking trojan. IOCs below: Google Play URL:… pic.twitter.com/fAuREdKiQF — Zscaler ThreatLabz (@Threatlabz) February 2, 2026 Their investigation revealed the attack chain and documented how the malware communicates with external servers to receive commands and exfiltrate stolen banking information. Analyzing the Malware’s Infection and Communication Mechanism Understanding how Anatsa establishes persistence on infected Android devices is crucial for users and security professionals seeking to prevent compromise. Once installed, the banking trojan integrates itself into the operating system and actively monitors user activity, particularly focusing on banking application interactions. When users open their banking applications or enter financial credentials, the malware captures this sensitive information through overlay attacks and credential logging techniques. The malware then communicates with command-and-control servers located at specific IP addresses, transmitting stolen banking details directly to threat actors. This direct connection to attacker-controlled infrastructure means compromised devices remain under active threat actor control, continuously feeding banking information and session tokens to criminal operations. Security researchers recommend users immediately remove any suspicious document reader applications, verify app authenticity through official channels, and enable multi-factor authentication on all banking accounts to mitigate potential compromise risks. Follow us on  Google News ,  LinkedIn , and  X  to Get More Instant Updates ,  Set CSN as a Preferred Source in  Google . The post Malicious App on The Google Play with 50K+ Downloads Deploy Anatsa Banking Malware appeared first on Cyber Security News .

Malicious App on The Google Play with 50K+ Downloads Deploy Anatsa Banking Malware

Fake apps, NFC skimming attacks, and other Android issues in 2026 How to safely use Android devices in the face of 2026's new security threats

Fake apps, NFC skimming attacks, and other Android issues in 2026 | Kaspersky official blog

experienced engineers: one change, test, one change, test
junior engineers: batch everything because they're in a hurry
this is exactly backwards
the person least capable of batching is the one most likely to batch

New AI-Android Malware that Auto Clicks Ads from the Infected Devices A dangerous Android malware campaign has emerged, targeting users through mobile games and pirated streaming app modifications. The threat, known as Android.Phantom, employs machine learning technology to perform automated ad-click fraud on infected smartphones. Over 155,000 downloads of compromised games have been recorded, with additional infections spreading through modified versions of Spotify, YouTube, Netflix, and Deezer across unofficial platforms. Spotify Plus website (Source – Dr.Web) The malware propagates through several channels, including the official GetApps store for Xiaomi devices, where six infected games from developer SHENZHEN RUIREN NETWORK CO., LTD. were discovered. These apps initially launched without malicious code, but updates released in late September introduced the Android.Phantom trojan. GetApps distributing Trojans (Source – Dr.Web) Distribution extends beyond official stores to dedicated modding websites, Telegram channels attracting tens of thousands of subscribers, and Discord servers where administrators actively promote infected downloads. Dr.Web researchers noted that Android.Phantom operates using two distinct modes called phantom and signaling. The malware connects to attacker-controlled command servers that dictate its behavior patterns. Its sophisticated design incorporates TensorFlowJS, a machine learning framework that enables intelligent identification and automated clicking of advertising elements displayed within hidden browsers running on infected devices. The threat consists of multiple interconnected components. Android.Phantom.2.origin serves as the primary variant, later enhanced by Android.Phantom.5, which functions as a dropper delivering remote code loaders. These loaders retrieve additional click-fraud modules designed for specific advertising platforms. How the Machine Learning Attack Works The phantom mode represents the malware’s most advanced capability, utilizing artificial intelligence for fraudulent ad interactions. Android.Phantom.2.origin deploys a hidden browser based on WebView widget technology, loading target websites as directed by command servers. Spotify X with approximately 24,000 subscribers (Source – Dr.Web) The malware then injects JavaScript automation scripts alongside the TensorFlowJS framework. An AI model downloaded from external servers analyzes webpage screenshots captured from a virtual screen, identifying clickable advertisement components. This intelligent approach mimics genuine user behavior, making fraudulent clicks harder for advertising networks to detect compared to basic automated scripts. Follow us on  Google News ,  LinkedIn , and  X  to Get More Instant Updates ,  Set CSN as a Preferred Source in  Google . The post New AI-Android Malware that Auto Clicks Ads from the Infected Devices appeared first on Cyber Security News .

New AI-Android Malware that Auto Clicks Ads from the Infected Devices

Why We've Tried to Replace Developers Every Decade Since 1969 Every decade brings new promises: this time, we'll finally make software development simple enough that we won't need so many developers. From COBOL to AI, the pattern repeats. Business leaders gro...

"AI amplifies developer capability. It doesn’t replace the need for people who understand both the problem domain and the technical landscape."

www.caimito.net/en/blog/2025...

Pwning Claude Code in 8 Different Ways Introduction Hello, I’m RyotaK (@ryotkak ), a security engineer at GMO Flatt Security Inc. A few months ago, I came across an interesting behavior while using Claude Code—it executed a command without my approval. Since I wasn’t using the permission bypass mode, I decided to investigate further to understand why it was able to execute commands without explicit approval. TL;DR I discovered 8 ways to execute arbitrary commands in Claude Code without user approval.

Pwning Claude Code in 8 Different Ways

Why iPhone users should update and restart their devices now Apple has confirmed active exploitation, but full protections are limited to iPhones running iOS 26+ (yes, the one with Liquid Glass).

Upgrading requires a restart, which makes this a win-win: you get the latest protections, and any memory-resident malware is flushed at the same time.

Android phones imported from abroad will have difficulty running banking apps starting March 1st. The new regulations will directly impact jailbroken iPhones and imported Android phones that have been tampered with to install Vietnamese language support or remove unwanted apps.

Vietnamese banks will be required to disable their mobile banking apps on rooted devices starting in March

Mobile apps will also be disabled if a debugger is attached to the device

www.vietnam.vn/en/may-andro...

Q4 2025 Malware Trends: Telegram Backdoor, Banking Trojans Surge, Joker Returns to Google Play Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

📣⚠️ New Q4 2025 malware report reveals a rise in Android banking trojans, resurgence of Joker malware on Google Play, and widespread use of backdoored apps.

Read: hackread.com/q4-2025-malw...

#CyberSecurity #Android #Malware #MobileThreats #Trojan

Astaroth Banking Trojan Targets Brazilians via WhatsApp Messages Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

Watch out as the Astaroth banking Trojan is now spreading via #WhatsApp messages in a Brazil-focused campaign, using friendly-looking ZIP files to auto-infect contacts and steal banking credentials and data.

Read: hackread.com/astaroth-ban...

#Astaroth #Malware #Cybersecurity #Banking #Brazil

WhatsApp Vulnerabilities Leaks User’s Metadata Including Device’s Operating System

WhatsApp Vulnerabilities Leaks User’s Metadata Including Device’s Operating System

Kimwolf Android Botnet Infects Over 2 Million Devices via Exposed ADB and Proxy Networks

Kimwolf Android Botnet Infects Over 2 Million Devices via Exposed ADB and Proxy Networks