In the second part of our series on mobile phone cyber security following our recent webinar on the subject we look at the latest attacks on millions of UK Android phone users as well as Apple device users.

First off, Android users are being targeted by a dangerous bug that steals bank details. Cyber criminals are doing this by planting malicious apps on Google Play Store to infect phones with the Anatsa banking trojan.

What is the Anatsa banking trojan and how has it been playing games with phone cyber security on the Play Store?

Anatsa has actually been around since 2020 and this latest round of attacks targets customers of office productivity apps from Google Play. It is disguised as apps for PDF viewers, office suites and editor apps.

Although Google has removed the apps from the Play Store, they appeared there over the past four months and mainly relate to PDF viewers and readers. Thousands of people downloaded the PDF Viewer – Reader & Editor- apps.

Furthermore, despite these particular apps being taken off the Play Store, some other infected apps that were previously banned have made a reappearance onto the Store so be vigilant.

Researchers believe the Anatsa trojan has also targeted about 600 financial apps of banking institutions.

How does Anatsa work?

Once downloaded on to your phone, this bug steals credentials like your banking login details so criminals can access your online banking/credit card accounts and potentially remove funds.

The hackers do this by overlaying phishing pages on the foreground when the user attempts to launch their genuine bank app. They can then use the stolen data to make transactions without the victim knowing.

So always check apps before installing them. Here are ‘do’s and don’ts’:

1. Don’t install an app if you don’t know the publisher or are unsure it is genuine, even if it is on a respected marketplace like Google Play. For example, it might be fake if it doesn’t have many installs or reviews.
2. Do check reviews to see if anyone is reporting anything suspicious about the app.

Mobile phone cyber attacks - why you should keep your software updated

New cyber security threats to iPhones via iMessage

In our first blog of this series on phone cyber security we ran a warning that Apple iPhones, Macs and iPads were being targeted by hackers via Zero-Day attacks.

Since then Apple have had to fix more zero-day vulnerabilities. These latest fixes bring the total number of zero-day vulnerabilities addressed by Apple in 2023 so far to nine!

This time the cyber criminals aimed to install spyware on iPhones via iMessage and Apple has released patches for this campaign, which is known as Operation Triangulation.

What is Operation Triangulation?

The criminals implanted spyware onto iPhones by sending an iMessage and the spyware was programmed to remove itself once it successfully infiltrated the device. Hackers used an implant called TriangleDB which gave them surveillance capabilities and operated solely in memory, ensuring that all evidence of the implant is erased upon device reboot.

TriangleDB spyware performs a wide range of monitoring and data collection activities.

This campaign was discovered by Russian anti-malware vendor Kaspersky when its staff became victims, along with some iOS users, and Kaspersky called it Operation Triangulation.

How has Apple fixed the problem?

Apple’s patches address the two zero-day vulnerabilities involved, CVE-2023-32434 and CVE-2023-32439.

  • CVE-2023-32434, is an integer overflow vulnerability in the Kernel. If successfully exploited, a malicious app could execute arbitrary code with kernel privileges.
  • CVE-2023-32435, is a memory corruption vulnerability in WebKit. Exploiting this flaw could result in arbitrary code execution when processing specially crafted web content.

The key takeaway is that patches have been made available and it is crucial that you update your phone software regularly as that is how the fixes for these sorts of attacks are provided. Ideally you want to have ‘Automatic Updates’ switched on. If you’re using a business phone talk to your IT department.

If you would like to discuss our cyber security services and recommendations please contact us on the form below or by calling us on 0330 124 3599.