We've published a new research piece on how a defensive mobile stack can become an operator foothold. TL;DR: unauthenticated report endpoints leak fleet intelligence, device-supplied metadata becomes stored XSS in the console, and a scan-time helper inside the Android agent can be coerced into code execution. The write-up also documents our client-side control bypass (pinning + integrity checks) used to safely study the agent in a lab. The article follows the full chain—recon at scale -> console compromise -> in-agent execution—then closes with practical guidance for administrators operating mobile security suites. Read the research and watch the PoC video -> https://lnkd.in/dJmDvBft Image to attach: the "Android SSL Pinning and Anti-Tamper Bypass" grid or your hero slide. Hashtags: #MobileSecurity #AndroidSecurity #RedTeam #ThreatResearch #AppSec #Infosec #ReverseEngineering #Frida #CVE
How a defensive mobile stack can be compromised: research and PoC video
More Relevant Posts
-
Combining Temp Mail with VPNs + encryption is the silent shield smart users need, this blog shows you how to stay truly anonymous online. 🔗 https://lnkd.in/dFPC_Vvt
-
A malicious Go module disguises as an SSH brute-force tool, scanning IPv4 for weak credentials, disabling host key verification, and exfiltrating stolen data via Telegram bot using HTTPS traffic. #SSHAttack #GoModule #TelegramBot link: https://ift.tt/uUj3w4i
-
-
CEH | ECIH | CHFI | eCTHPv2 | eCDFP |GCFA | CNSS |Micorsoft365 |CCSE | Splunk admin |Qradar |Wazuh
🚨 Digital Forensics Tip: SmartScreen & MoTW 🚨 Files downloaded from the Internet carry a hidden tag called Mark of the Web (MoTW). Windows SmartScreen uses it to block risky files and can log every user interaction with them. SmartScreen Event Log captures: File path & size User SID MoTW value Open or execution timestamp Enable logging: wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true 💡 Why it matters for DFIR: Track who opened a file See where it came from Detect attempts to run suspicious files 🔍 Hidden but invaluable for forensic investigations
-
-
GNFA, GCFA, GSEC, EnCE, CEH, Sec+, Splunk | DOE Q Europe based, seeking fully remote role in cybersecurity, SOC, or digital forensics. Open to any job role or company that can utilize my training and experience.
This will be an interesting artifact and one to work with for logging and Window Events. See about ingesting for SIEM and detection development
CEH | ECIH | CHFI | eCTHPv2 | eCDFP |GCFA | CNSS |Micorsoft365 |CCSE | Splunk admin |Qradar |Wazuh
🚨 Digital Forensics Tip: SmartScreen & MoTW 🚨 Files downloaded from the Internet carry a hidden tag called Mark of the Web (MoTW). Windows SmartScreen uses it to block risky files and can log every user interaction with them. SmartScreen Event Log captures: File path & size User SID MoTW value Open or execution timestamp Enable logging: wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true 💡 Why it matters for DFIR: Track who opened a file See where it came from Detect attempts to run suspicious files 🔍 Hidden but invaluable for forensic investigations
-
-
Revolutionizing Global Access Control | Building Communities, Sharing Insights & Driving Innovation | Security Technology Thought Leader | CEO, TACC
Are smart locks the future of security platforms…or just pricey deadbolts with apps? I sat down with Bill Wood (Salto), Juergen Sept (TANlock), Olivia Renaud (Allegion), and Rafael Frankow (igloo) at #ACS25 to unpack where smart locks are headed and what’s holding them back. Catch the full session in The Access Control Executive Brief.
-
🔐 BitlockMove Tool Enables Lateral Movement via Bitlocker DCOM & COM Hijacking | Read more: https://lnkd.in/eFk4Sg5K A new proof-of-concept (PoC) tool named BitlockMove demonstrates a novel lateral movement technique that leverages BitLocker's Distributed Component Object Model (DCOM) interfaces and COM hijacking. The BitlockMove tool exploits how certain COM classes, when configured as "INTERACTIVE USER," can spawn a process in the context of the current user's session. Suppose these processes are also susceptible to COM hijacking. In that case, an attacker can remotely modify the registry, deliver a malicious DLL via Server Message Block (SMB), and trigger its execution through DCOM. #cybersecuritynews
-
-
🚀 Founder of DamageBDD | Inventor of ECAI | Architect of erm | Redefining AI & Software Engineering
Com exploits like it the 90's #Nostlgia #WindowsTrauma Yeah, the Windows COM/DCOM hijack vector is like a living fossil from the 90s — registry-based persistence and remote code execution stuffed inside opaque binary interfaces that never die. On Linux, there isn’t a direct COM/DCOM equivalent (since there’s no monolithic COM layer), but there are rough parallels from the same era of design philosophy: --- 🐧 Linux/Unix Parallels to COM/DCOM Hijacking 1. X11 Trust Model (90s–2010s) If you ran X11 with TCP open, anyone with access could inject keystrokes, capture screen data, or run apps in your session. It’s the same “execute inside the context of an interactive user” stealth move that COM hijacks enable. Still occasionally abused in thin-client or misconfigured desktop deployments. 2. LD_PRELOAD / Shared Library Hijacking Drop a malicious .so into a path that gets searched first. Any setuid binary or system daemon that loads it runs your code in privileged context. Think of it as “DLL hijacking for Linux,” just without the registry indirection. 3. DBus / System Bus Hijacking DBus is Linux’s nearest conceptual cousin to COM/DCOM. Weak or misconfigured DBus policies let an attacker send privileged method calls to system services. Real-world vulns: privilege escalation by talking to NetworkManager, systemd, or Polkit over DBus. 4. Polkit / pkexec Abuses Equivalent to “DCOM elevation channels.” Misconfigurations or bypasses (CVE-2021-4034 “PwnKit”) let attackers escalate via trusted interprocess communication. 5. NFS/Autofs Trickery Mounting remote shares that cause daemons to load attacker-controlled libraries or execute hooks. This is pretty close to the SMB+DLL trick in the BitlockMove PoC. --- ✨ Key Difference Windows COM/DCOM: baked deep into the OS, with registry-based persistence that defenders can’t just “turn off.” Linux parallels: more fragmented — X11, DBus, Polkit, library search paths. Exploits usually target service boundaries (systemd, Polkit, sudo) rather than one central binary interface. --- 👉 So if BitlockMove is “COM/DCOM abuse riding BitLocker’s surface,” the Linux world’s spirit-equivalent is DBus/Polkit privilege bridging combined with library hijacking. Both come from the same 90s assumption: local interprocess trust is safe.
🔐 BitlockMove Tool Enables Lateral Movement via Bitlocker DCOM & COM Hijacking | Read more: https://lnkd.in/eFk4Sg5K A new proof-of-concept (PoC) tool named BitlockMove demonstrates a novel lateral movement technique that leverages BitLocker's Distributed Component Object Model (DCOM) interfaces and COM hijacking. The BitlockMove tool exploits how certain COM classes, when configured as "INTERACTIVE USER," can spawn a process in the context of the current user's session. Suppose these processes are also susceptible to COM hijacking. In that case, an attacker can remotely modify the registry, deliver a malicious DLL via Server Message Block (SMB), and trigger its execution through DCOM. #cybersecuritynews
-
