Security researchers have found a massive malware operation that has infected more than 10 million Android smartphones across more than 70 countries since at least November 2020 and is making millions of dollars for its operators on a monthly basis. The Record reports: Discovered by mobile security firm Zimperium, the new GriftHorse malware has been distributed via benign-looking apps uploaded on the official Google Play Store and on third-party Android app stores. If users install any of these malicious apps, GriftHorse starts peppering users with popups and notifications that offer various prizes and special offers. Users who tap on these notifications are redirected to an online page where they are asked to confirm their phone number in order to access the offer. But, in reality, users are subscribing themselves to premium SMS services that charge over $35 per month, money that are later redirected into the GriftHorse operators' pockets.

Zimperium researchers Aazim Yaswant & Nipun Gupta, who have been tracking the GriftHorse malware for months, described it as "one of the most widespread campaigns the zLabs threat research team has witnessed in 2021." Based on what they've seen until now, the researchers estimated that the GriftHorse gang is currently making between $1.5 million to $4 million per month from their scheme.

An anonymous reader quotes a report from Krebs On Security: The new $30 AirTag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owner's phone number if the AirTag has been set to lost mode. But according to new research, this same feature can be abused to redirect the Good Samaritan to an iCloud phishing page -- or to any other malicious website. The AirTag's "Lost Mode" lets users alert Apple when an AirTag is missing. Setting it to Lost Mode generates a unique URL at https://found.apple.com/ and allows the user to enter a personal message and contact phone number. Anyone who finds the AirTag and scans it with an Apple or Android phone will immediately see that unique Apple URL with the owner's message.

When scanned, an AirTag in Lost Mode will present a short message asking the finder to call the owner at at their specified phone number. This information pops up without asking the finder to log in or provide any personal information. But your average Good Samaritan might not know this. That's important because Apple's Lost Mode doesn't currently stop users from injecting arbitrary computer code into its phone number field -- such as code that causes the Good Samaritan's device to visit a phony Apple iCloud login page. The vulnerability was discovered and reported to Apple by Bobby Rauch, a security consultant and penetration tester based in Boston. Rauch told KrebsOnSecurity the AirTag weakness makes the devices cheap and possibly very effective physical trojan horses.

Germany's federal cybersecurity watchdog, the BSI, is conducting a technical examination of a mobile phone manufactured by China's Xiaomi, a spokesperson for the interior ministry told Reuters on Wednesday. From the report: The spokesperson did not provide further details on what kind of examination the agency was carrying out. Lithanua's state cybersecurity body said last week that Xiaomi phones had a built-in ability to detect and censor terms such as "Free Tibet," "Long live Taiwan independence" or "democracy movement." Xiaomi said on Monday it was engaging a third-party expert to assess the allegations by Lithuania that its smartphones carry built-in censorship capabilities.

Russian authorities have arrested and detained Ilya Sachkov, the co-founder and chief executive of Group-IB -- one of the biggest cybersecurity companies in the country -- on charges of treason. From a report: Details about Sachkov's detention remain unclear but it was reported by Russian media as authorities searched the company's offices, reports Reuters. State news agency Tass said Sachkov, who was arrested on Tuesday, was charged with allegedly transferring classified information to an unnamed foreign government, claims that Sachkov denied, according to the report. Group-IB confirmed the arrest of its CEO, but a spokesperson for Group-IB did not comment beyond a statement on the company's website, which said the company is examining the Moscow court's decision and that it is "confident" in Sachkov's innocence. Sachkov, 35, founded Group-IB in 2003. The company, now headquartered in Singapore, helps companies and governments investigate cyberattacks and online fraud, and has customers ranging from Interpol to Russian banks and defense companies.