ISAC’s Joint Advisory as Cyber & Physical Risks Increase in MiddleEast Conflict; Major Hacking Groups are Threat to Critical Infrastructure
ISAC’s Joint Advisory
Continue ReadingSpyware
Malicious Extensions Copies Legitimate Apps; Chrome Under Spotlight
Chrome under spotlight
Continue Reading
Apple Releases iOS & iPadOS 26.1 Update, Fixed Multiple Security Vulnerabilities
Summary: Apple released iOS 26.1 and iPadOS 26, addressed multiple security vulnerabilities across core system components including WebKit, Kernel, Accessibility, Apple Neural Engine, CloudKit etc.
| OEM | Apple |
| Severity | High |
| CVEs | CVE-2025-43438, CVE-2025-43429, CVE-2025-43442, CVE-2025-43455, CVE-2025-43398 & others |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview:
These vulnerabilities could enable malicious apps to escape sandboxes, access sensitive user data, execute arbitrary code via web content, monitor keystrokes or disable theft protection mechanisms. Affected devices include iPhone 11 & later and iPad models from 3rd gen onward etc. Immediate update is strongly recommended to prevent any breaches, system crashes.
| Vulnerability Name | CVE ID | Product Affected | Fixed Version |
| WebKit Use-After-Free (Safari Crash/RCE) | CVE-2025-43438 | iOS, iPadOS | iOS/iPadOS 26.1 |
| WebKit Buffer Overflow (RCE Risk) | CVE-2025-43429 | iOS, iPadOS | iOS/iPadOS 26.1 |
| App Installed Detection via Accessibility | CVE-2025-43442 | iOS, iPadOS | iOS/iPadOS 26.1 |
| Sensitive Screenshot in Embedded Views | CVE-2025-43455 | iOS, iPadOS | iOS/iPadOS 26.1 |
| Kernel Memory Corruption / DoS | CVE-2025-43398 | iOS, iPadOS | iOS/iPadOS 26.1 |
Technical Summary:
The iOS/iPadOS 26.1 update fixes major security issues in sandbox protection, memory handling, privacy settings, and the WebKit browser engine. These critical vulnerabilities could allow apps or websites to access restricted data or execute malicious code. Key impact issues mentioned below.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-43438 | WebKit | Use-after-free in Safari triggers crash or code execution via malicious web content | Remote Code Execution, System Compromise |
| CVE-2025-43429 | WebKit | Buffer overflow in content processing allows arbitrary code execution | Remote Code Execution, Service Compromise |
| CVE-2025-43442 | Accessibility | Permissions flaw allows apps to detect installed apps (fingerprinting) | Privacy Violation, User Tracking |
| CVE-2025-43455 | Apple Account | Malicious apps can screenshot sensitive embedded UI (login views) | Credential, PII Exposure |
| CVE-2025-43398 | Kernel | Memory mishandling leads to system termination or kernel corruption | Denial of Service, Potential Privilege Escalation |
Additionally, there are multiple high & medium vulnerabilities have been disclosed that enable sandbox escapes, data leaks, and web-based attacks with significant impact potential. Here are some cves in the below table
| Vulnerability Name | CVE ID | Affected Component |
| Sandbox Escape via Assets | CVE-2025-43407 | Assets |
| Sandbox Escape via CloudKit Symlink | CVE-2025-43448 | CloudKit |
| Stolen Device Protection Bypass | CVE-2025-43422 | Stolen Device Protection |
| Cross-Origin Data Exfiltration | CVE-2025-43480 | WebKit |
| Keystroke Monitoring via WebKit | CVE-2025-43495 | WebKit |
| Apple Neural Engine Kernel Corruption | CVE-2025-43447, CVE-2025-43462 | Apple Neural Engine |
| Canvas Cross-Origin Image Theft | CVE-2025-43392 | WebKit Canvas |
| Contacts Data Leak in Logs | CVE-2025-43426 | Contacts |
| Lock Screen Content Leak | CVE-2025-43350 | Control Center |
| Address Bar Spoofing | CVE-2025-43493 | Safari |
| UI Spoofing in Safari | CVE-2025-43503 | Safari |
Recommendations:
Update all eligible devices immediately (Settings > General > Software Update products) to the following fixed versions as soon as possible and check the updated version from the Apple security website.
Patches are available and should be applied immediately.
For environments where immediate patching is not immediately feasible, you can also follow the recommendations below.
- Enable Stolen Device Protection and Lockdown Mode (where applicable)
- Restrict app installations to trusted sources.
- Avoid visiting untrusted websites from browser
- Use VPN and enable Advanced Data Protection for iCloud
- Monitor for anomalous app behavior or battery drain
Conclusion:
The iOS/iPadOS 26.1 update fixes several security vulnerabilities that could affect user privacy, device stability, and system protection.
Organizations and Individual using Apple devices must prioritize deployment of this update to mitigate risks of data exfiltration, spyware and other attack vectors. Timely patching remains the most effective control against zero-day exploitation on new vulnerabilities in digital ecosystems.
References:
Fake Govt & Banking Apps Spreading Android Droppers Evolved as Malware
Security Advisory:
Cybersecurity researchers have discovered a major shift in how Android malware is being delivered. Dropper apps, which were earlier used mainly to distribute banking trojans.
The Malware’s being used to deliver simpler threats like SMS stealers and basic spyware as official government or banking apps, primarily targeting users in India, Southeast Asia, and some parts of Europe.
ThreatFabric researchers warn of a shift in Android malware: dropper apps now deliver not just banking trojans, but also SMS stealers and spyware, mainly in Asia.
Vulnerability Details
The recent surge in Android dropper apps introduces a critical security vulnerability affecting mobile users globally. These droppers are impersonating as banking apps, government services, or trading platforms,, bypass Google Play
Pilot Program by initially requesting minimal permissions to avoid detection, making them appear as legitimate applications.
Once installed, they fetch malicious payloads like spyware, SMS stealers, cryptocurrency miners, and banking trojans from remote servers. Attackers also exploit malvertising campaigns on social media to spread fake apps widely. This evolving tactic enables cybercriminals to switch payloads dynamically, making traditional security measures less effective and increasing the risk of data theft and device compromise.
Source: cybersecuritynews
Attack Flow
| Step | Description |
| 1. Craft | Attackers create malicious dropper apps disguised as government schemes, banking apps |
| 2. Send | The droppers are distributed through third-party APK sites, malicious ads |
| 3. Trigger | The victim downloads and installs the dropper app, often believing it’s legitimate due to its official-looking design and branding. |
| 4. Execution | When the user clicks “Update” or interacts with the app, the dropper fetches the real malicious payload (spyware, SMS stealer |
| 5. Exploit | The installed malware requests high-risk permissions, such as SMS access or notification access, allowing attackers to steal data, track activities, or control the device remotely. |
Proof-of-Concept
Once the user interacts, the dropper initiates an HTTPS request to a remote server
Source: cybersecurity news
Why It’s Effective
Dynamic Payload Delivery – Attackers hide the real malicious file inside a harmless-looking dropper app. The payload is only downloaded after user interaction, making it harder to detect.
Permission Evasion – Droppers initially request minimal or safe permissions and only ask for high-risk permissions (like SMS or accessibility access) after installation, bypassing Google Play Protest’sProtects initial scans.
Fake Update Screens – Many droppers display legitimate looking “Update Required” prompts to trick users into downloading malware, increasing their success rate.
Recommendations:
Download Apps Safely
- Install apps only from trusted sources like Google Play Store, Apple store etc.
- Avoid third-party APKs, unknown links
,or apps promoted through social media ads.
Check Permissions Carefully
- Do not grant unnecessary permissions like SMS, notifications, or accessibility dependent on the app services.
- Always review requested permissions before installing or updating an app.
Keep Devices Secure
- Enable Google Play Protect and keep your Android security patches up to date.
- Use a reliable mobile security solution for real-time malware detection.
Stay Alert and Aware
- Be aware of fake update prompts; apps
,and malicious sites.
- Stay updated on the latest tactics used by Android malware
Conclusion:
- Android droppers are evolving fast, making them more flexible and harder to detect, increasing risks for both individuals and organizations.
- Droppers started as tools for advanced banking malware, but now they’re used to install all kinds of harmful apps and sneak past local security.
- It is always recommended to stay vigilant, keep your phone and software updated from the original source
References:
Users of WhatsApp Exposed to Sophisticated Spyware Attack
The recent Spyware attack on WhatsApp users is linked to Israeli surveillance firm Paragon Solutions that targets journalists, activists, and civil society members using sophisticated “zero-click” hacking methods that require no user interaction.
Attack Confirmed By Meta
Meta, the parent company of WhatsApp, has officially acknowledged the attack, stating that the messaging platform was compromised by hackers deploying spyware. Following multiple reports of breaches, Meta informed Italy’s National Cybersecurity Agency, confirming that about 90 users across 24 countries were targeted.
The spyware attack came to light when Luca Casarini, a migrant rescue activist and co-founder of Mediterranea Saving Humans, and investigative journalist Francesco Cancellato, received an alert from WhatsApp, notifying their device had been infiltrated by spyware.
What is Spyware and what makes Spyware attack special?
Spyware is one of the most commonly used cyberattack methods used by hackers and makes it difficult to trace and identify by users and does some serious harm to networks. These data are used to track, steal, and sell user data, such as internet usage, credit card, and bank account details, or steal user credentials to spoof their identities.
As per Fortinet, Spyware is malicious software that enters a user’s computer, gathers data from the device and user, and sends it to third parties without their consent. A commonly accepted spyware definition is a strand of malware designed to access and damage a device without the user’s consent.
How Zero-Click Hacking affect our Online Digital device
The Zero click hacking techniques was stunning for users which is not traceable
Unlike any other phishing attacks that require users to click on malicious links. In this method attackers infect a device without any action from the user. Such advanced tactics enable surveillance on a large scale, posing severe risks to privacy and security worldwide.
The revelation has reignited global concerns over digital espionage and unauthorized surveillance. Cybersecurity experts warn that the attack on WhatsApp underscores the vulnerabilities present in even the most widely used communication platforms. As investigations continue, users are urged to update their software regularly and remain vigilant against potential cyber threats.
Mobile spyware typically attacks mobile devices through three methods:
- Flaws in operating systems: Attackers can exploit flaws in mobile operating systems that are typically opened up by holes in updates.
- Malicious applications: These typically lurk within legitimate applications that users download from websites rather than app stores.
- Unsecured free Wi-Fi networks: Wi-Fi networks in public places like airports and cafes are often free and simple to sign in to, which makes them a serious security risk. Attackers can use these networks to spy on what connected users are doing.
Significant Cyber threat of Spyware
The Spyware attack left users fall prey to online digital attack and question on govt. surveillance which was taken seriously by Italy.Over the years Spyware infected millions of devices, stealing sensitive information.
Some of the most devastating spyware cases helps us understand how serious this threat can be.
- Pegasus — Spyware Behind Global Surveillance Scandals
Pegasus — developed by Israeli tech firm NSO Group — is the most high-profile spyware ever created. While it was originally marketed as a tool for governments to combat terrorism and criminal activities, it has become infamous for its misuse.
Reports have revealed that Pegasus has been used to monitor journalists, activists, and political figures, raising serious concerns about privacy and human rights violations. Its ability to infect devices without any user interaction makes it especially dangerous and difficult to detect.
- FinSpy (FinFisher) — Government Tool for Full Device Control
FinSpy, also known as FinFisher, is a spyware tool developed by Gamma Group, a company based in Germany. Initially marketed to governments and law enforcement agencies as a way to combat crime and terrorism, FinSpy has been linked to unauthorized surveillance and there is concern about its use by oppressive regimes. The spyware is capable of targeting multiple platforms, including Windows, macOS, and Linux, making it versatile and difficult to escape.
- GravityRAT — Cross-Border Espionage Targeting India
GravityRAT spyware was initially designed to target individuals in India. It’s believed to be linked to cyber espionage efforts originating from Pakistan. Its primary goal is to steal sensitive information, including files, contact lists, and user data.
GravityRAT typically spreads through phishing emails that trick users into downloading malicious attachments. Once the victim opens the file, the spyware silently installs itself, granting attackers control over the infected device.
- DarkHotel — Targeting Business Travelers Through Hotel Wi-Fi
DarkHotel is a sophisticated spyware campaign that’s been active for over a decade, primarily targeting business travelers staying in luxury hotels. Discovered in 2007, this Advanced Persistent Threat (APT) has affected high-profile executives, government officials, and corporate leaders. The attackers aim to steal sensitive business information, like trade secrets and confidential documents, while victims are connected to hotel Wi-Fi networks.
- Agent Tesla — Password and Keystroke Thief for Hire
Agent Tesla is technically classified as a Remote Access Trojan (RAT) and keylogger, though it has spyware-like functionalities. First discovered in 2014, Agent Tesla has gained notoriety for its ability to steal sensitive information, such as login credentials, keystrokes, and clipboard data. It can also take screenshots and extract information from email clients, web browsers, and other applications, making it a powerful tool for cybercriminals.
Recent Comments