{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/android/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-39973"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["apktool","path-traversal","android","cve-2026-39973"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eApktool, a tool used for reverse engineering Android APK files, is vulnerable to a path traversal issue in versions 3.0.0 and 3.0.1 (CVE-2026-39973). This vulnerability resides within the \u003ccode\u003ebrut/androlib/res/decoder/ResFileDecoder.java\u003c/code\u003e component. A maliciously crafted APK can exploit this flaw during standard decoding (\u003ccode\u003eapktool d\u003c/code\u003e) to write arbitrary files to the filesystem. The vulnerability is a security regression introduced by commit e10a045 (PR #4041, December 12, 2025), which inadvertently removed the \u003ccode\u003eBrutIO.sanitizePath()\u003c/code\u003e call, a crucial safeguard against path traversal attacks. By embedding \u003ccode\u003e../\u003c/code\u003e sequences in the \u003ccode\u003eresources.arsc\u003c/code\u003e Type String Pool, attackers can bypass directory restrictions and write files to sensitive locations, such as \u003ccode\u003e~/.ssh/config\u003c/code\u003e, \u003ccode\u003e~/.bashrc\u003c/code\u003e, or Windows Startup folders, ultimately enabling remote code execution. Apktool version 3.0.2 addresses this vulnerability by reintroducing the \u003ccode\u003eBrutIO.sanitizePath()\u003c/code\u003e function in \u003ccode\u003eResFileDecoder.java\u003c/code\u003e, effectively mitigating the path traversal risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Android APK file.\u003c/li\u003e\n\u003cli\u003eThe attacker embeds \u003ccode\u003e../\u003c/code\u003e sequences within the \u003ccode\u003eresources.arsc\u003c/code\u003e Type String Pool of the APK.\u003c/li\u003e\n\u003cli\u003eA user attempts to decode the malicious APK file using a vulnerable version of Apktool (3.0.0 or 3.0.1) via the command \u003ccode\u003eapktool d malicious.apk\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDuring the decoding process, the \u003ccode\u003eResFileDecoder.java\u003c/code\u003e component processes the \u003ccode\u003eresources.arsc\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eDue to the missing \u003ccode\u003eBrutIO.sanitizePath()\u003c/code\u003e call, the \u003ccode\u003e../\u003c/code\u003e sequences are not sanitized, allowing path traversal.\u003c/li\u003e\n\u003cli\u003eApktool attempts to write a resource file to a location outside the intended output directory.\u003c/li\u003e\n\u003cli\u003eThe resource file is written to an arbitrary location on the filesystem, potentially overwriting critical system files (e.g., \u003ccode\u003e~/.bashrc\u003c/code\u003e, \u003ccode\u003e~/.ssh/config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIf a file like \u003ccode\u003e~/.bashrc\u003c/code\u003e is overwritten, subsequent shell sessions execute malicious code, achieving remote code execution. If a Windows Startup folder is targeted, the code executes on the next reboot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to write arbitrary files to the filesystem of the machine running Apktool. This can lead to various malicious outcomes, including remote code execution, privilege escalation, and data exfiltration. The impact is particularly severe if Apktool is run with elevated privileges or if sensitive files are overwritten. While specific victim numbers are not available, developers and security researchers who rely on Apktool for APK analysis are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Apktool version 3.0.2 or later to remediate CVE-2026-39973.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on sensitive files like \u003ccode\u003e~/.bashrc\u003c/code\u003e and \u003ccode\u003e~/.ssh/config\u003c/code\u003e to detect unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring to detect the execution of \u003ccode\u003eapktool d\u003c/code\u003e with suspicious arguments, particularly targeting unexpected output directories.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Apktool Path Traversal Attempt\u0026rdquo; to identify potential exploitation attempts based on command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T02:16:07Z","date_published":"2026-04-21T02:16:07Z","id":"/briefs/2026-04-apktool-path-traversal/","summary":"A path traversal vulnerability in Apktool versions 3.0.0 and 3.0.1 allows a malicious APK file to write arbitrary files to the filesystem during decoding, potentially leading to remote code execution.","title":"Apktool Path Traversal Vulnerability (CVE-2026-39973)","url":"https://feed.craftedsignal.io/briefs/2026-04-apktool-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["android","rat","mirax","malware-as-a-service","proxy"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Mirax RAT is a newly identified Android Remote Access Trojan (RAT) that has been actively targeting users in Europe since March 2026. It\u0026rsquo;s offered as Malware-as-a-Service (MaaS) to a small group of affiliates, primarily Russian-speaking actors, through tiered subscription models. Since December 2025, Mirax has been promoted on underground forums and used in multiple campaigns. The RAT\u0026rsquo;s distribution relies on malicious advertisements on Meta platforms like Facebook, Instagram, and Messenger, with over 200,000 users potentially exposed to these ads. The malware uses dropper pages hosted on GitHub and relies on APK sideloading for execution, bypassing the Google Play Store\u0026rsquo;s security measures. Mirax\u0026rsquo;s capabilities extend beyond typical RAT functions, including turning infected devices into residential proxy nodes via a SOCKS5 proxy.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker creates malicious ads on Facebook, Instagram, and Messenger promoting IPTV application services.\u003c/li\u003e\n\u003cli\u003eUsers click on the advertisements, which redirect them to dropper pages hosted on GitHub.\u003c/li\u003e\n\u003cli\u003eThe user is prompted to enable installation from unknown sources on their Android device.\u003c/li\u003e\n\u003cli\u003eThe malicious IPTV application is installed via APK sideloading.\u003c/li\u003e\n\u003cli\u003eThe application initiates a multi-stage infection process, utilizing Golden Encryption (Golden Crypt) to pack the payload.\u003c/li\u003e\n\u003cli\u003eThe payload, an encrypted Dalvik Executable (.dex) file, is decrypted during installation using the RC4 stream cipher with a hardcoded key.\u003c/li\u003e\n\u003cli\u003eMirax gains control of the device, enabling overlay and notification injection for credential theft.\u003c/li\u003e\n\u003cli\u003eAttackers can view the screen in real-time, navigate and control the device, manage applications, exfiltrate images and text, and launch a SOCKS5 proxy connection to proxy traffic through the infected device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Mirax RAT campaign has the potential to affect a large number of Android users in Europe. The malicious advertisements have already reached over 200,000 users. Successful infections can lead to credential theft, financial fraud, data exfiltration, and the compromised device being used as a residential proxy, potentially masking malicious activity and further expanding the attacker\u0026rsquo;s reach. Banks and financial institutions are specifically highlighted as high-value targets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for connections to GitHub domains associated with APK downloads, and correlate that with android device user agents (Network Connection and User Agent logs).\u003c/li\u003e\n\u003cli\u003eImplement detections for process creation events related to sideloaded APK installations, specifically looking for unusual parent-child process relationships (Process Creation Logs).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect the execution of applications from untrusted sources and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for SOCKS5 proxy traffic originating from Android devices, which may indicate compromised devices acting as residential proxies (Network Connection Logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-mirax-rat/","summary":"Mirax RAT, a new Android RAT distributed as MaaS, is targeting European users by turning infected devices into residential proxy nodes and enabling credential theft via overlay and notification injection.","title":"Mirax RAT Targeting Android Users in Europe","url":"https://feed.craftedsignal.io/briefs/2026-04-mirax-rat/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35643"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-35643","rce","android"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.3.22 are susceptible to a critical vulnerability (CVE-2026-35643) stemming from an unvalidated WebView JavascriptInterface. This flaw enables attackers to inject arbitrary instructions and execute malicious code within the context of the Android application. The vulnerability arises because untrusted web pages can exploit the canvas bridge, a component responsible for communication between the WebView and the native Android code. Successful exploitation allows an attacker to gain control over the application\u0026rsquo;s resources and potentially the device itself. This is a severe risk for any application using OpenClaw, as it could lead to data theft, malware installation, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application utilizing a vulnerable version of OpenClaw (prior to 2026.3.22).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious web page containing JavaScript code designed to exploit the unvalidated WebView JavascriptInterface.\u003c/li\u003e\n\u003cli\u003eThe victim unknowingly navigates to the attacker-controlled web page, likely through social engineering or malicious advertising.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript code on the page interacts with the vulnerable canvas bridge within the OpenClaw WebView.\u003c/li\u003e\n\u003cli\u003eThe attacker injects arbitrary instructions through the canvas bridge, leveraging the lack of input validation.\u003c/li\u003e\n\u003cli\u003eThese injected instructions are then executed within the Android application context, bypassing security restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the application\u0026rsquo;s resources, such as user data or device functionalities.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code, potentially leading to data exfiltration, malware installation, or complete device compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-35643 in OpenClaw can lead to complete compromise of the Android application and potentially the device it is running on. This can result in data theft, unauthorized access to sensitive information, installation of malware, and other malicious activities. While the exact number of vulnerable applications is unknown, the widespread use of OpenClaw could potentially affect a large number of users. The vulnerability is particularly dangerous because it can be exploited remotely through a simple web page, making it easily accessible to attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.22 or later to patch CVE-2026-35643, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all data received through the WebView JavascriptInterface to prevent arbitrary code injection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect attempts to exploit the canvas bridge within OpenClaw (see \u0026ldquo;Detect Suspicious WebView Bridge Usage\u0026rdquo; rule).\u003c/li\u003e\n\u003cli\u003eMonitor web traffic for access to untrusted URLs from applications utilizing OpenClaw to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T17:17:04Z","date_published":"2026-04-10T17:17:04Z","id":"/briefs/2026-04-openclaw-webview-rce/","summary":"OpenClaw before 2026.3.22 is vulnerable to arbitrary code execution due to an unvalidated WebView JavascriptInterface, allowing attackers to inject malicious instructions by invoking the canvas bridge from untrusted pages.","title":"OpenClaw WebView JavascriptInterface Vulnerability (CVE-2026-35643)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-webview-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve","memory leak","denial of service","android"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33852 is a \u0026ldquo;Missing Release of Memory after Effective Lifetime\u0026rdquo; vulnerability affecting MolotovCherry Android-ImageMagick7 versions prior to 7.1.2-11. Discovered by the Government Technology Agency of Singapore Cyber Security Group (GovTech CSG), this memory leak can occur when processing specially crafted image files. An attacker could potentially exploit this vulnerability to cause a denial-of-service condition on a vulnerable Android device by repeatedly triggering the memory leak…\u003c/p\u003e\n","date_modified":"2026-03-24T07:16:07Z","date_published":"2026-03-24T07:16:07Z","id":"/briefs/2026-03-android-imagemagick-memory-leak/","summary":"A missing release of memory vulnerability (CVE-2026-33852) in MolotovCherry Android-ImageMagick7 before version 7.1.2-11 can lead to a denial-of-service condition due to memory exhaustion.","title":"Android-ImageMagick7 Memory Leak Vulnerability (CVE-2026-33852)","url":"https://feed.craftedsignal.io/briefs/2026-03-android-imagemagick-memory-leak/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","out-of-bounds write","android","imagemagick"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33854 is an out-of-bounds write vulnerability affecting MolotovCherry Android-ImageMagick7 versions prior to 7.1.2-10.  This vulnerability stems from improper bounds checking within the image processing logic. The Government Technology Agency of Singapore Cyber Security Group (GovTech CSG) reported this vulnerability. Successful exploitation could lead to a denial of service, information disclosure, or potentially arbitrary code execution on the affected device. Due to the widespread…\u003c/p\u003e\n","date_modified":"2026-03-24T06:16:22Z","date_published":"2026-03-24T06:16:22Z","id":"/briefs/2026-03-android-imagemagick-oob-write/","summary":"An unauthenticated, remote attacker can exploit an out-of-bounds write vulnerability (CVE-2026-33854) in MolotovCherry Android-ImageMagick7 versions before 7.1.2-10 by enticing a user to open a malicious image, potentially leading to arbitrary code execution.","title":"Android-ImageMagick7 Out-of-Bounds Write Vulnerability (CVE-2026-33854)","url":"https://feed.craftedsignal.io/briefs/2026-03-android-imagemagick-oob-write/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["insecure-logging","credential-access","android"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eEquityPandit 1.0, an Android application, is vulnerable to insecure logging practices. Specifically, the application logs sensitive user credentials, including plaintext passwords, within the developer console logs. This vulnerability, identified as CVE-2019-25605, allows an attacker with access to the device or ADB (Android Debug Bridge) to extract these credentials. The vulnerability was reported in 2019, but publicly disclosed details and exploits surfaced more recently. Successful…\u003c/p\u003e\n","date_modified":"2026-03-23T14:00:00Z","date_published":"2026-03-23T14:00:00Z","id":"/briefs/2026-03-equitypandit-logging/","summary":"EquityPandit 1.0 contains an insecure logging vulnerability (CVE-2019-25605) that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge, specifically exposing plaintext passwords during the forgot password function.","title":"EquityPandit 1.0 Insecure Logging Vulnerability (CVE-2019-25605)","url":"https://feed.craftedsignal.io/briefs/2026-03-equitypandit-logging/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["maltrail","ioc","osx","android","apt"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief highlights indicators of compromise (IOCs) identified on March 15, 2026, through the Maltrail feed. The identified IOCs are associated with a variety of threat actors and malware families, targeting both macOS and Android operating systems. The threats include OSX_Atomic, which potentially delivers malware to macOS systems; FakeApp, used for deceptive applications; Android_Joker, a known Android malware family; Lummack2, an information stealer; APT_Sidewinder, an advanced persistent threat actor; APT_Kimsuky, another APT group; and Hak5Cloud_C2, related to Hak5 Cloud Command and Control infrastructure. This diverse set of IOCs underscores the wide range of threats organizations face and the importance of monitoring network traffic and system logs for malicious activity. This data is crucial for detection engineers to build and deploy relevant detection rules to protect their environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (OSX_Atomic/FakeApp):\u003c/strong\u003e User downloads a seemingly legitimate application from a compromised website (e.g., \u003ccode\u003eappsformacs.com\u003c/code\u003e, \u003ccode\u003etorrents4mac.com\u003c/code\u003e, or a FakeApp site like \u003ccode\u003eadhushapp-razvd.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution (OSX_Atomic/FakeApp):\u003c/strong\u003e The downloaded application is executed on the user\u0026rsquo;s macOS or Android device. This may involve bypassing security warnings or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (OSX_Atomic/Android_Joker):\u003c/strong\u003e The malware establishes persistence on the system, potentially using techniques such as modifying startup items or scheduled tasks (OSX_Atomic), or registering as a background service (Android_Joker).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (Multiple):\u003c/strong\u003e The malware connects to a command-and-control (C2) server (e.g., \u003ccode\u003ec2.socops.net\u003c/code\u003e, \u003ccode\u003eonev.online\u003c/code\u003e) to receive instructions and exfiltrate data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Theft (Lummack2):\u003c/strong\u003e The malware attempts to steal credentials stored on the system or in web browsers, potentially using keylogging or form grabbing techniques (Lummack2).  Observed communicating with \u003ccode\u003epolice-center.vg\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (Multiple):\u003c/strong\u003e Sensitive data, such as credentials, financial information, or personal data, is exfiltrated to the C2 server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (APT_Sidewinder/APT_Kimsuky):\u003c/strong\u003e The attacker uses the compromised system to move laterally within the network, targeting other systems and data.  APT_Sidewinder uses domains like \u003ccode\u003evisa.nadra.gov-pk.info\u003c/code\u003e while APT_Kimsuky leverages \u003ccode\u003enaver.liferod.com\u003c/code\u003e for potential C2 or phishing activities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (Multiple):\u003c/strong\u003e The attacker achieves their objectives, which may include financial gain (through fraud or extortion), intellectual property theft, or espionage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe identified IOCs represent a diverse range of threats that can have significant impact on organizations and individuals. Successful attacks can lead to financial losses due to fraud or ransomware, data breaches resulting in the theft of sensitive information, and reputational damage. The targeting of macOS and Android devices indicates a broad scope of potential victims, encompassing both corporate and personal devices. The involvement of APT groups like APT_Sidewinder and APT_Kimsuky suggests potential for targeted attacks with significant impact on national security or critical infrastructure. A single successful infection can lead to widespread compromise within an organization\u0026rsquo;s network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the malicious domains listed in the IOC table at the DNS resolver and firewall to prevent communication with known C2 infrastructure.\u003c/li\u003e\n\u003cli\u003eImplement a network intrusion detection system (NIDS) rule to detect connections to the malicious domains and URLs (IOCs) to identify potentially compromised systems.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM and tune them for your specific environment to detect suspicious process execution and network connections.\u003c/li\u003e\n\u003cli\u003eInvestigate systems communicating with any of the listed IOCs (domains/URLs) for signs of malware infection or unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-15T21:00:08Z","date_published":"2026-03-15T21:00:08Z","id":"/briefs/2026-03-maltrail-iocs/","summary":"This brief summarizes IOCs extracted from the Maltrail feed on March 15, 2026, covering domains and URLs associated with threats targeting macOS and Android platforms, including OSX_Atomic, FakeApp, Android_Joker, Lummack2, APT_Sidewinder, APT_Kimsuky, and Hak5Cloud_C2.","title":"Maltrail IOC Feed Update for Multiple Threats","url":"https://feed.craftedsignal.io/briefs/2026-03-maltrail-iocs/"}],"language":"en","title":"CraftedSignal Threat Feed — Android","version":"https://jsonfeed.org/version/1.1"}