A week in security (December 15 – December 21)

Last week on Malwarebytes Labs: CISA warns ASUS Live Update backdoor is still exploitable, seven years on The ghosts of WhatsApp: How GhostPairing hijacks accounts Chrome extension slurps up AI chats after users installed it for privacy Two Chrome flaws could be triggered by simply browsing the...

Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale

Threat actors have been observed leveraging malicious dropper apps masquerading as legitimate applications to deliver an Android SMS stealer dubbed Wonderland in mobile attacks targeting users in Uzbekistan. "Previously, users received 'pure' Trojan APKs that acted as malware immediately upon...

IoT-Based Android Malware Detection Using Graph Neural Network with Adversarial Defense

Since the Internet of Things IoT is widely adopted using Android applications, detecting malicious Android apps is essential. In recent years, Android graph-based deep learning research has proposed many approaches to extract relationships from applications as graphs to generate graph embeddings...

CVE-2025-14809

ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content...

CVE-2025-14809

ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content...

CVE-2025-14809

ArcSearch on Android versions prior to 1.12.6 is affected by an address-bar spoofing issue where the address bar could show a different domain than the displayed content after user interaction with crafted web content. The Root cause is described as navigation/URI confusion in the ArcSearch Andro...

CVE-2025-14809 Address bar spoofing risk in ArcSearch on Android

ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content...

EUVD-2025-204586

ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content...

CVE-2025-14809 Address bar spoofing risk in ArcSearch on Android

ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content...

Malicious Package

Overview androidteminatorx is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

MAL-2025-192620 Malicious code in android_teminator_x (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 33c3191c5716cf98ab9a5976d22602d3140a131b7f906d2c51d88f60950e1a7a The package androidteminatorx was found to contain malicious code. Source: ghsa-malware...

PT-2025-52488

ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content...

Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

The North Korean threat actor known as Kimsuky has been linked to a new campaign that distributes a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics formerly CJ Korea Express. "The threat actor leveraged QR codes...

ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.0 <=4.6.0.0), androidx.baselineprofile.apptarget:androidx.baselineprofile.apptarget.gradle.plugin (>=1.2.0-alpha12 <=1.2.0-alpha14) +2660 more potentially affected by CVE-2024-29371 via org.bitbucket.b_c:jose4j (>=0.4.1 <=0.9.5)

org.bitbucket.bc:jose4j MAVEN version =0.4.1, =4.4.0.0, =1.2.0-alpha12, =1.2.0-alpha12, =1.2.0-alpha12, =1.2.0-alpha12, =1.2.0-alpha07, =1.2.0-alpha12, =1.2.0-alpha07, =2.6.0, =2.6.0, =2.6.0, =1.0.0-alpha01, =1.0.0-alpha01,...

Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks

A new distributed denial-of-service DDoS botnet known as Kimwolf has enlisted a massive army of no less than 1.8 million infected devices comprising Android-based TVs, set-top boxes, and tablets, and may be associated with another botnet known as AISURU, according to findings from QiAnXin XLab...

ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.0 <=4.6.0.0), androidx.baselineprofile.apptarget:androidx.baselineprofile.apptarget.gradle.plugin (>=1.2.0-alpha12 <=1.2.0-alpha14) +2660 more potentially affected by CVE-2024-29371 via org.bitbucket.b_c:jose4j (>=0.4.1 <=0.9.5)

org.bitbucket.bc:jose4j MAVEN version =0.4.1, =4.4.0.0, =1.2.0-alpha12, =1.2.0-alpha12, =1.2.0-alpha12, =1.2.0-alpha12, =1.2.0-alpha07, =1.2.0-alpha12, =1.2.0-alpha07, =2.6.0, =2.6.0, =2.6.0, =1.0.0-alpha01, =1.0.0-alpha01,...

CVE-2025-14617

A vulnerability has been found in Jehovahs Witnesses JW Library App up to 15.5.1 on Android. Affected is an unknown function of the component org.jw.jwlibrary.mobile.activity.SiloContainer. Such manipulation leads to path traversal. Local access is required to approach this attack. The exploit ha...

CVE-2025-14817

The component com.transsion.tranfacmode.entrance.main.MainActivity in com.transsion.tranfacmode has no permission control and can be accessed by third-party apps which can construct intents to directly open adb debugging functionality without user interaction...

CVE-2025-14817

The component com.transsion.tranfacmode.entrance.main.MainActivity in com.transsion.tranfacmode has no permission control and can be accessed by third-party apps which can construct intents to directly open adb debugging functionality without user interaction...

CVE-2025-14817

The CVE-2025-14817 entry affects the com.transsion.tranfacmode.entrance.main.MainActivity component in TECNO devices (e.g., Pova6 Pro 5G). The vulnerability arises from missing permission controls, allowing third-party apps to craft intents that directly open adb debugging functionality without u...