Android

CERT-FR has disclosed 31 vulnerabilities in various Microsoft Office products, including CVE-2026-44803 and CVE-2026-47635, which could allow remote code execution, privilege escalation, and data confidentiality compromise.

BTMOB is a Malware-as-a-Service (MaaS) Android RAT, first observed in February 2025, that uses phishing lures and the abuse of Android Accessibility Services to gain control of devices for data exfiltration, screen capture, and remote access.

The Motorola Factory Test component (com.motorola.motocit) contains an improper authentication vulnerability, allowing a local attacker to bypass permission checks and access protected device settings by leveraging a writable file descriptor in external storage to open a TCP server.

The Q1 2026 mobile threat landscape saw a decrease in overall attack volume driven by reduced adware and RiskTool detections, while the number of unique users targeted remained stable, with new SparkCat variants on app stores and increased banking Trojan and Triada backdoor activity.

A zero-click exploit chain was developed for the Google Pixel 10, achieving root access on Android by exploiting a patched Dolby vulnerability (CVE-2025-54957) and a memory mapping vulnerability in the Chips&Media Wave677DV video processing unit (VPU) driver.

ESET researchers discovered 28 fraudulent Android apps, named CallPhantom, on Google Play that falsely claim to provide call logs for any phone number in exchange for payment, generating random data or requesting email addresses and amassing over 7.3 million downloads before being removed.

The ScarCruft APT group conducted a supply-chain attack targeting the Yanbian region by compromising a gaming platform, sqgame, used by ethnic Koreans, trojanizing Windows and Android games with the BirdCall backdoor for espionage activities since late 2024.

The APT37 group (ScarCruft) is distributing an Android version of the BirdCall backdoor via a supply-chain attack targeting a Chinese video game platform, sqgame[.]net, to collect sensitive information from users.

A vulnerability in Google Android allows a remote attacker to execute arbitrary code, affecting versions prior to 14, 15, 16 and 16-qpr2 before the May 4, 2026 patch.

A path traversal vulnerability in Apktool versions 3.0.0 and 3.0.1 allows a malicious APK file to write arbitrary files to the filesystem during decoding, potentially leading to remote code execution.

Mirax RAT, a new Android RAT distributed as MaaS, is targeting European users by turning infected devices into residential proxy nodes and enabling credential theft via overlay and notification injection.

OpenClaw before 2026.3.22 is vulnerable to arbitrary code execution due to an unvalidated WebView JavascriptInterface, allowing attackers to inject malicious instructions by invoking the canvas bridge from untrusted pages.

A missing release of memory vulnerability (CVE-2026-33852) in MolotovCherry Android-ImageMagick7 before version 7.1.2-11 can lead to a denial-of-service condition due to memory exhaustion.

An unauthenticated, remote attacker can exploit an out-of-bounds write vulnerability (CVE-2026-33854) in MolotovCherry Android-ImageMagick7 versions before 7.1.2-10 by enticing a user to open a malicious image, potentially leading to arbitrary code execution.

EquityPandit 1.0 contains an insecure logging vulnerability (CVE-2019-25605) that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge, specifically exposing plaintext passwords during the forgot password function.

This brief summarizes IOCs extracted from the Maltrail feed on March 15, 2026, covering domains and URLs associated with threats targeting macOS and Android platforms, including OSX_Atomic, FakeApp, Android_Joker, Lummack2, APT_Sidewinder, APT_Kimsuky, and Hak5Cloud_C2.