Mobile Threat Research Highlights iOS Exploit Framework and Emerging Android Trojan Campaigns
Security researchers reported a sophisticated iPhone exploitation framework dubbed Coruna that appears to have originated as a professionally developed, likely government-grade capability and later proliferated to foreign espionage and criminal actors. Analyses cited by Google’s Threat Intelligence Group and mobile security firm iVerify describe five exploit chains spanning 20+ vulnerabilities affecting iOS 13 through 17.2.1, enabling delivery via malicious web content for device fingerprinting, remote code execution, and bypass of key iOS mitigations; the tool’s apparent usage trail includes alleged deployment by Russian intelligence against Ukrainian targets and subsequent adoption by a cybercrime group for cryptocurrency theft.
Separate mobile-threat reporting detailed multiple Android campaigns and families emphasizing stealth, persistence, and credential theft. CloudSEK described a RedAlert trojanized app impersonating Israel’s Home Front Command alerting application, using a multi-stage APK/DEX loader chain (including an assets/ payload) and UI mimicry while coercing high-risk permissions (e.g., Contacts, SMS, Location) and establishing C2. PolySwarm summarized PromptSpy, an Android RAT with VNC-based remote control that integrates Google Gemini to generate context-aware UI gesture instructions from screen XML dumps to improve persistence across device variants, distributed via a phishing site impersonating a bank portal and assessed as financially motivated (notably targeting Argentina). Zimperium separately profiled ZeroDayRAT as a modular Android spyware platform spread via social engineering and sideloading, supporting surveillance and financial theft (e.g., screen capture, keylogging, credential harvesting), underscoring continued escalation in mobile malware sophistication.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Google and iVerify disclose Coruna iPhone exploit framework
Google's Threat Intelligence Group and iVerify reported on Coruna, a professionally developed iPhone exploitation framework with five exploit chains using more than 20 vulnerabilities affecting iOS 13 through 17.2.1. They assessed it may have originated as a U.S.-built or U.S.-government-linked capability that later proliferated to foreign spies and cybercriminals.
Zimperium reports ZeroDayRAT Android spyware platform
Zimperium described ZeroDayRAT as a modular Android spyware and financial-theft platform spread through social-engineering lures and sideloaded apps. The malware supports screen capture, keylogging, credential harvesting, and exfiltration from banking, payment, and personal apps while using stealth techniques to evade signature-based detection.
RedAlert malware observed harvesting data after permission grants
Dynamic analysis showed the malicious package com.red.alertx continued delivering real rocket alerts to maintain credibility while aggressively requesting dangerous permissions. Once any permission was granted, it staged SMS, contacts, and GPS data locally and exfiltrated it via persistent HTTP POST traffic to attacker infrastructure.
CloudSEK identifies fake Red Alert Android trojan campaign
CloudSEK reported an Android trojanized app impersonating Israel's Home Front Command "Red Alert" app and spreading through SMS spoofing. The malware uses a three-stage loader chain to evade analysis while presenting a convincing copy of the legitimate app.
Former Trenchant employee pleads guilty in exploit-sale case
The Nextgov report cites a recent U.S. legal case in which a former Trenchant employee pleaded guilty to selling exploits to a Russian broker believed to be Operation Zero. The broker was later sanctioned by the U.S. Treasury.
PromptSpy uses Gemini-guided persistence on Android devices
PolySwarm documented PromptSpy as an Android RAT that uses Google Gemini to analyze screen XML dumps and return JSON gesture instructions for maintaining persistence. The malware also includes VNC-based remote control, credential capture, screenshots, and anti-removal overlays.
PromptSpy campaign distributes MorganArg dropper via fake Chase site
PromptSpy was distributed through a website impersonating a Chase Bank portal, mgardownload[.]com, using a dropper app branded "MorganArg." The campaign appears financially motivated and targets users in Argentina.
Coruna linked to 2023 Triangulation-era activity
The reporting says Coruna shows overlap with the 2023 Triangulation campaign, a high-end iPhone exploitation operation. This places the framework or related capabilities in circulation by 2023.
Cybercriminals adopt Coruna to steal cryptocurrency
Researchers reported that Coruna was subsequently used by cybercriminals to steal cryptocurrency from Chinese-speaking victims. This marked a shift from apparent espionage use to financially motivated criminal exploitation.
Russian espionage actors use Coruna against Ukrainian websites
Google and iVerify assessed that the Coruna toolkit was later used in a Russian espionage campaign targeting Ukrainian websites. The activity used malicious web content to fingerprint devices, achieve remote code execution, and bypass iOS protections on older iPhones.
Coruna exploit framework used by a surveillance-company customer
Researchers said the iPhone exploitation framework dubbed Coruna appears to have first been used operationally by a customer of a surveillance company. This is the earliest reported stage in the toolkit's observed history, before later espionage and criminal adoption.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Potential US-built hacking tools obtained by foreign spies and cybercriminals, research says - Nextgov/FCW
nextgov.com
Open sourceRedAlert Trojan Campaign: Fake Emergency Alert App Spread via SMS Spoofing Israeli Home Front Command | CloudSEK
cloudsek.com
Open sourceZeroDayRAT Signals Next-Gen Mobile Espionage and Theft Risks
zimperium.com
Open sourcePromptSpy Android Malware Uses Generative AI
blog.polyswarm.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mobile malware and phishing campaigns abuse AI branding and Android tooling to steal credentials and surveil victims
Multiple mobile-focused threats were reported spanning **Android banking malware**, **iOS credential-harvesting via App Store listings**, and **Android espionage via trojanized crisis apps**. A new Android banking trojan marketed as **Mirax Bot** was advertised on underground forums as a **Malware-as-a-Service (MaaS)** offering, with claimed capabilities including **700+ app injects**, **Hidden VNC (HVNC)** for stealthy remote control, and features positioned for **account takeover (ATO)** and large-scale financial fraud; researchers noted the feature list is based on seller claims and not yet independently verified. Separately, researchers described **PromptSpy**, characterized as an Android threat that uses **generative-AI techniques** to improve phishing and fraud by generating more convincing social-engineering content and automating deceptive interactions on-device. In parallel, a phishing operation targeted iPhone users by impersonating **ChatGPT** and **Google Gemini** in emails that directed victims to **fraudulent iOS apps hosted on Apple’s App Store**; the apps (including *GeminiAI Advertising* `id6759005662` and *Ads GPT* `id6759514534`) presented a fake **Facebook login** flow to harvest credentials. Another campaign, **RedAlert**, weaponized a trojanized version of Israel’s “Red Alert” emergency app distributed as `RedAlert.apk` via **SMS phishing (smishing)**, pushing victims to sideload the APK; analysis reported the app mimicked the legitimate interface while requesting high-risk permissions (e.g., **SMS**, contacts, precise **GPS**) consistent with covert surveillance and data theft. A separate Kaspersky post focused on consumer guidance for disabling AI assistants and broader privacy concerns, and does not materially add incident-specific threat intelligence to the mobile malware/phishing reporting.
Mar 24, 2026
Android Mobile Malware Campaigns Targeting SMS/OTP and Identity Data
Multiple reports highlight evolving **Android** threats that abuse SMS/telephony access and advanced evasion to enable fraud, surveillance, and account takeover. CloudSEK described a shift from repackaged apps to **runtime manipulation** using the *LSPosed* framework, where a malicious module (e.g., **Digital Lutera**) hooks `SmsManager` and `TelephonyManager` to undermine India’s **UPI SIM-binding** controls. The technique can intercept registration tokens and 2FA, spoof device identity/phone number, and exfiltrate data to **Telegram**; it also uses **Socket.IO** for real-time C2 and can remotely inject fabricated SMS entries into the device’s “Sent” database to make bank backends believe a SIM is present on a different device, enabling scalable payment fraud and account takeover. Separately, Acronis TRU (reported by Hackread) identified a **fake Red Alert** rocket-warning app distributed via SMS lures impersonating Israel’s Home Front Command; the trojanized app displays legitimate alerts to reduce suspicion while requesting extensive permissions to steal **GPS location**, **SMS/OTP**, contacts, installed-app inventory, and on-device account details, then exfiltrates data to a remote server, including via **certificate spoofing** and UI tricks to appear Play Store-installed. Zimperium reported a new Android RAT, **SurxRAT**, that can download and run **LLM modules** from third-party repositories to automate phishing and social engineering and to interact with apps/UI for credential theft and data exfiltration, reinforcing the need for behavior-based mobile detection, tighter app controls, and stronger integrity enforcement (e.g., *Play Integrity API* with `MEETS_STRONG_INTEGRITY`) where applicable.
Mar 21, 2026
Coruna Spy-Grade iOS Exploit Kit Proliferates From Surveillance to Espionage and Financial Crime
Google’s Threat Intelligence Group (GTIG) reported on **Coruna**, a commercial/spy-grade iOS exploit kit that has circulated among multiple threat actors and shifted use cases over time—from a surveillance customer to suspected state-linked watering-hole activity and later to financially motivated abuse. GTIG assessed Coruna includes **five full iOS exploit chains** comprising **23 exploits**, mixing CVE-tracked vulnerabilities with additional flaws that were not assigned CVEs (with CVE mapping potentially subject to revision as analysis continues). The exploit chains target iOS via ordinary web content, leveraging **WebKit memory-corruption** and related browser subsystem weaknesses to achieve capabilities such as **remote code execution** and **sandbox escape**. Reporting highlighted that Coruna’s exploit set largely relies on older issues that are likely patched on current devices, but the kit was assessed as capable (with varying reliability) of targeting iPhone models across a wide range of versions, from **iOS 13.0 through iOS 17.2.1**. Publicly referenced CVEs associated with Coruna include **CVE-2024-23222**, **CVE-2022-48503** (later added to CISA’s KEV), **CVE-2023-43000**, and multiple WebKit/privilege escalation bugs used as zero-days in prior campaigns (e.g., **CVE-2023-38606**, **CVE-2023-32434**, **CVE-2023-32409**). Mandiant/Google also published a set of **URLs observed delivering Coruna** landing pages (e.g., paths like `/group.html` and `/static/analytics.html` across numerous domains), intended to support detection and threat hunting.
Apr 25, 2026