https://feed.craftedsignal.io/tags/android/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 21 Apr 2026 02:16:07 +0000https://feed.craftedsignal.io/briefs/2026-04-apktool-path-traversal/Tue, 21 Apr 2026 02:16:07 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-apktool-path-traversal/A path traversal vulnerability in Apktool versions 3.0.0 and 3.0.1 allows a malicious APK file to write arbitrary files to the filesystem during decoding, potentially leading to remote code execution.Apktool, a tool used for reverse engineering Android APK files, is vulnerable to a path traversal issue in versions 3.0.0 and 3.0.1 (CVE-2026-39973). This vulnerability resides within the brut/androlib/res/decoder/ResFileDecoder.java component. A maliciously crafted APK can exploit this flaw during standard decoding (apktool d) to write arbitrary files to the filesystem. The vulnerability is a security regression introduced by commit e10a045 (PR #4041, December 12, 2025), which inadvertently removed the BrutIO.sanitizePath() call, a crucial safeguard against path traversal attacks. By embedding ../ sequences in the resources.arsc Type String Pool, attackers can bypass directory restrictions and write files to sensitive locations, such as ~/.ssh/config, ~/.bashrc, or Windows Startup folders, ultimately enabling remote code execution. Apktool version 3.0.2 addresses this vulnerability by reintroducing the BrutIO.sanitizePath() function in ResFileDecoder.java, effectively mitigating the path traversal risk.

Attack Chain

1. An attacker crafts a malicious Android APK file.
2. The attacker embeds ../ sequences within the resources.arsc Type String Pool of the APK.
3. A user attempts to decode the malicious APK file using a vulnerable version of Apktool (3.0.0 or 3.0.1) via the command apktool d malicious.apk.
4. During the decoding process, the ResFileDecoder.java component processes the resources.arsc file.
5. Due to the missing BrutIO.sanitizePath() call, the ../ sequences are not sanitized, allowing path traversal.
6. Apktool attempts to write a resource file to a location outside the intended output directory.
7. The resource file is written to an arbitrary location on the filesystem, potentially overwriting critical system files (e.g., ~/.bashrc, ~/.ssh/config).
8. If a file like ~/.bashrc is overwritten, subsequent shell sessions execute malicious code, achieving remote code execution. If a Windows Startup folder is targeted, the code executes on the next reboot.

Impact

Successful exploitation of this vulnerability allows attackers to write arbitrary files to the filesystem of the machine running Apktool. This can lead to various malicious outcomes, including remote code execution, privilege escalation, and data exfiltration. The impact is particularly severe if Apktool is run with elevated privileges or if sensitive files are overwritten. While specific victim numbers are not available, developers and security researchers who rely on Apktool for APK analysis are at risk.

Recommendation

• Upgrade to Apktool version 3.0.2 or later to remediate CVE-2026-39973.
• Implement file integrity monitoring on sensitive files like ~/.bashrc and ~/.ssh/config to detect unauthorized modifications.
• Enable process monitoring to detect the execution of apktool d with suspicious arguments, particularly targeting unexpected output directories.
• Deploy the Sigma rule “Detect Apktool Path Traversal Attempt” to identify potential exploitation attempts based on command-line arguments.

]]>criticaladvisoryapktoolpath-traversalandroidcve-2026-39973https://feed.craftedsignal.io/briefs/2026-04-mirax-rat/Thu, 16 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-mirax-rat/Mirax RAT, a new Android RAT distributed as MaaS, is targeting European users by turning infected devices into residential proxy nodes and enabling credential theft via overlay and notification injection.The Mirax RAT is a newly identified Android Remote Access Trojan (RAT) that has been actively targeting users in Europe since March 2026. It’s offered as Malware-as-a-Service (MaaS) to a small group of affiliates, primarily Russian-speaking actors, through tiered subscription models. Since December 2025, Mirax has been promoted on underground forums and used in multiple campaigns. The RAT’s distribution relies on malicious advertisements on Meta platforms like Facebook, Instagram, and Messenger, with over 200,000 users potentially exposed to these ads. The malware uses dropper pages hosted on GitHub and relies on APK sideloading for execution, bypassing the Google Play Store’s security measures. Mirax’s capabilities extend beyond typical RAT functions, including turning infected devices into residential proxy nodes via a SOCKS5 proxy.

Attack Chain

1. The attacker creates malicious ads on Facebook, Instagram, and Messenger promoting IPTV application services.
2. Users click on the advertisements, which redirect them to dropper pages hosted on GitHub.
3. The user is prompted to enable installation from unknown sources on their Android device.
4. The malicious IPTV application is installed via APK sideloading.
5. The application initiates a multi-stage infection process, utilizing Golden Encryption (Golden Crypt) to pack the payload.
6. The payload, an encrypted Dalvik Executable (.dex) file, is decrypted during installation using the RC4 stream cipher with a hardcoded key.
7. Mirax gains control of the device, enabling overlay and notification injection for credential theft.
8. Attackers can view the screen in real-time, navigate and control the device, manage applications, exfiltrate images and text, and launch a SOCKS5 proxy connection to proxy traffic through the infected device.

Impact

The Mirax RAT campaign has the potential to affect a large number of Android users in Europe. The malicious advertisements have already reached over 200,000 users. Successful infections can lead to credential theft, financial fraud, data exfiltration, and the compromised device being used as a residential proxy, potentially masking malicious activity and further expanding the attacker’s reach. Banks and financial institutions are specifically highlighted as high-value targets.

Recommendation

• Monitor network traffic for connections to GitHub domains associated with APK downloads, and correlate that with android device user agents (Network Connection and User Agent logs).
• Implement detections for process creation events related to sideloaded APK installations, specifically looking for unusual parent-child process relationships (Process Creation Logs).
• Deploy the Sigma rule provided below to detect the execution of applications from untrusted sources and tune for your environment.
• Monitor network connections for SOCKS5 proxy traffic originating from Android devices, which may indicate compromised devices acting as residential proxies (Network Connection Logs).

]]>highadvisoryandroidratmiraxmalware-as-a-serviceproxyhttps://feed.craftedsignal.io/briefs/2026-04-openclaw-webview-rce/Fri, 10 Apr 2026 17:17:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-webview-rce/OpenClaw before 2026.3.22 is vulnerable to arbitrary code execution due to an unvalidated WebView JavascriptInterface, allowing attackers to inject malicious instructions by invoking the canvas bridge from untrusted pages.OpenClaw versions prior to 2026.3.22 are susceptible to a critical vulnerability (CVE-2026-35643) stemming from an unvalidated WebView JavascriptInterface. This flaw enables attackers to inject arbitrary instructions and execute malicious code within the context of the Android application. The vulnerability arises because untrusted web pages can exploit the canvas bridge, a component responsible for communication between the WebView and the native Android code. Successful exploitation allows an attacker to gain control over the application’s resources and potentially the device itself. This is a severe risk for any application using OpenClaw, as it could lead to data theft, malware installation, or other malicious activities.

Attack Chain

1. An attacker identifies an application utilizing a vulnerable version of OpenClaw (prior to 2026.3.22).
2. The attacker crafts a malicious web page containing JavaScript code designed to exploit the unvalidated WebView JavascriptInterface.
3. The victim unknowingly navigates to the attacker-controlled web page, likely through social engineering or malicious advertising.
4. The malicious JavaScript code on the page interacts with the vulnerable canvas bridge within the OpenClaw WebView.
5. The attacker injects arbitrary instructions through the canvas bridge, leveraging the lack of input validation.
6. These injected instructions are then executed within the Android application context, bypassing security restrictions.
7. The attacker gains unauthorized access to the application’s resources, such as user data or device functionalities.
8. The attacker executes arbitrary code, potentially leading to data exfiltration, malware installation, or complete device compromise.

Impact

The successful exploitation of CVE-2026-35643 in OpenClaw can lead to complete compromise of the Android application and potentially the device it is running on. This can result in data theft, unauthorized access to sensitive information, installation of malware, and other malicious activities. While the exact number of vulnerable applications is unknown, the widespread use of OpenClaw could potentially affect a large number of users. The vulnerability is particularly dangerous because it can be exploited remotely through a simple web page, making it easily accessible to attackers.

Recommendation

• Upgrade OpenClaw to version 2026.3.22 or later to patch CVE-2026-35643, as mentioned in the overview.
• Implement input validation and sanitization on all data received through the WebView JavascriptInterface to prevent arbitrary code injection.
• Deploy the Sigma rule to detect attempts to exploit the canvas bridge within OpenClaw (see “Detect Suspicious WebView Bridge Usage” rule).
• Monitor web traffic for access to untrusted URLs from applications utilizing OpenClaw to identify potential exploitation attempts.

]]>criticaladvisorycve-2026-35643rceandroidhttps://feed.craftedsignal.io/briefs/2026-03-android-imagemagick-memory-leak/Tue, 24 Mar 2026 07:16:07 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-android-imagemagick-memory-leak/A missing release of memory vulnerability (CVE-2026-33852) in MolotovCherry Android-ImageMagick7 before version 7.1.2-11 can lead to a denial-of-service condition due to memory exhaustion.CVE-2026-33852 is a “Missing Release of Memory after Effective Lifetime” vulnerability affecting MolotovCherry Android-ImageMagick7 versions prior to 7.1.2-11. Discovered by the Government Technology Agency of Singapore Cyber Security Group (GovTech CSG), this memory leak can occur when processing specially crafted image files. An attacker could potentially exploit this vulnerability to cause a denial-of-service condition on a vulnerable Android device by repeatedly triggering the memory leak…

]]>mediumadvisorycvememory leakdenial of serviceandroidhttps://feed.craftedsignal.io/briefs/2026-03-android-imagemagick-oob-write/Tue, 24 Mar 2026 06:16:22 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-android-imagemagick-oob-write/An unauthenticated, remote attacker can exploit an out-of-bounds write vulnerability (CVE-2026-33854) in MolotovCherry Android-ImageMagick7 versions before 7.1.2-10 by enticing a user to open a malicious image, potentially leading to arbitrary code execution.<p>CVE-2026-33854 is an out-of-bounds write vulnerability affecting MolotovCherry Android-ImageMagick7 versions prior to 7.1.2-10. This vulnerability stems from improper bounds checking within the image processing logic. The Government Technology Agency of Singapore Cyber Security Group (GovTech CSG) reported this vulnerability. Successful exploitation could lead to a denial of service, information disclosure, or potentially arbitrary code execution on the affected device. Due to the widespread…</p> criticaladvisorycveout-of-bounds writeandroidimagemagickhttps://feed.craftedsignal.io/briefs/2026-03-equitypandit-logging/Mon, 23 Mar 2026 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-equitypandit-logging/EquityPandit 1.0 contains an insecure logging vulnerability (CVE-2019-25605) that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge, specifically exposing plaintext passwords during the forgot password function.<p>EquityPandit 1.0, an Android application, is vulnerable to insecure logging practices. Specifically, the application logs sensitive user credentials, including plaintext passwords, within the developer console logs. This vulnerability, identified as CVE-2019-25605, allows an attacker with access to the device or ADB (Android Debug Bridge) to extract these credentials. The vulnerability was reported in 2019, but publicly disclosed details and exploits surfaced more recently. Successful…</p> highadvisoryinsecure-loggingcredential-accessandroidhttps://feed.craftedsignal.io/briefs/2026-03-maltrail-iocs/Sun, 15 Mar 2026 21:00:08 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-maltrail-iocs/This brief summarizes IOCs extracted from the Maltrail feed on March 15, 2026, covering domains and URLs associated with threats targeting macOS and Android platforms, including OSX_Atomic, FakeApp, Android_Joker, Lummack2, APT_Sidewinder, APT_Kimsuky, and Hak5Cloud_C2.This threat brief highlights indicators of compromise (IOCs) identified on March 15, 2026, through the Maltrail feed. The identified IOCs are associated with a variety of threat actors and malware families, targeting both macOS and Android operating systems. The threats include OSX_Atomic, which potentially delivers malware to macOS systems; FakeApp, used for deceptive applications; Android_Joker, a known Android malware family; Lummack2, an information stealer; APT_Sidewinder, an advanced persistent threat actor; APT_Kimsuky, another APT group; and Hak5Cloud_C2, related to Hak5 Cloud Command and Control infrastructure. This diverse set of IOCs underscores the wide range of threats organizations face and the importance of monitoring network traffic and system logs for malicious activity. This data is crucial for detection engineers to build and deploy relevant detection rules to protect their environments.

Attack Chain

1. Initial Access (OSX_Atomic/FakeApp): User downloads a seemingly legitimate application from a compromised website (e.g., appsformacs.com, torrents4mac.com, or a FakeApp site like adhushapp-razvd.com).
2. Execution (OSX_Atomic/FakeApp): The downloaded application is executed on the user’s macOS or Android device. This may involve bypassing security warnings or exploiting vulnerabilities.
3. Persistence (OSX_Atomic/Android_Joker): The malware establishes persistence on the system, potentially using techniques such as modifying startup items or scheduled tasks (OSX_Atomic), or registering as a background service (Android_Joker).
4. Command and Control (Multiple): The malware connects to a command-and-control (C2) server (e.g., c2.socops.net, onev.online) to receive instructions and exfiltrate data.
5. Credential Theft (Lummack2): The malware attempts to steal credentials stored on the system or in web browsers, potentially using keylogging or form grabbing techniques (Lummack2). Observed communicating with police-center.vg.
6. Data Exfiltration (Multiple): Sensitive data, such as credentials, financial information, or personal data, is exfiltrated to the C2 server.
7. Lateral Movement (APT_Sidewinder/APT_Kimsuky): The attacker uses the compromised system to move laterally within the network, targeting other systems and data. APT_Sidewinder uses domains like visa.nadra.gov-pk.info while APT_Kimsuky leverages naver.liferod.com for potential C2 or phishing activities.
8. Impact (Multiple): The attacker achieves their objectives, which may include financial gain (through fraud or extortion), intellectual property theft, or espionage.

Impact

The identified IOCs represent a diverse range of threats that can have significant impact on organizations and individuals. Successful attacks can lead to financial losses due to fraud or ransomware, data breaches resulting in the theft of sensitive information, and reputational damage. The targeting of macOS and Android devices indicates a broad scope of potential victims, encompassing both corporate and personal devices. The involvement of APT groups like APT_Sidewinder and APT_Kimsuky suggests potential for targeted attacks with significant impact on national security or critical infrastructure. A single successful infection can lead to widespread compromise within an organization’s network.

Recommendation

• Block the malicious domains listed in the IOC table at the DNS resolver and firewall to prevent communication with known C2 infrastructure.
• Implement a network intrusion detection system (NIDS) rule to detect connections to the malicious domains and URLs (IOCs) to identify potentially compromised systems.
• Deploy the Sigma rules provided below to your SIEM and tune them for your specific environment to detect suspicious process execution and network connections.
• Investigate systems communicating with any of the listed IOCs (domains/URLs) for signs of malware infection or unauthorized access.

]]>mediumadvisorymaltrailiocosxandroidapt