The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking? Episode Summary: In this episode, we break down a massive vulnerability discovered by researchers at the University of Vienna and SBA Research that allowed them to scrape data from roughly 3.5 billion WhatsApp accounts globally. We explore how a lack of rate limiting on the specific GetDeviceList API endpoint turned a benign contact discovery feature into a massive "enumeration oracle," allowing a single university server to query over 100 million numbers per hour. We discuss the types of data exposed—including active status, device types, public encryption keys, and millions of profile photos—and the implications for user privacy, particularly in regions where WhatsApp is banned like China and Iran. Finally, we cover Meta’s response to the disclosure and why industry experts are calling this a "masterclass in negligence" regarding API security. Key Topics Discussed: - The Vulnerability: How researchers used the GetDeviceList API to bypass safeguards and identify valid accounts across 245 countries. - The Scale: How a single server sustained 7,000 requests per second to verify 3.5 billion accounts without being blocked. - The Data: The exposure of profile images, "about" text, and public keys, and how this data correlates with previous Facebook leaks. - The Security Lesson: Why "does this number exist?" lookup APIs are inherently dangerous without strict behavioral monitoring and rate limiting. Sponsor: This episode is supported by Approov. When mobile app security is an afterthought, user privacy becomes collateral damage. Approov ensures that only genuine mobile app instances, running on safe mobile devices, can access your backend APIs. - Visit the Sponsor: https://approov.io/ Featured Sources & Further Reading: - BleepingComputer: https://www.bleepingcomputer.com/ – Detailing the mechanics of the GetDeviceList abuse and the global scope of the data scrape. - Malwarebytes: https://www.malwarebytes.com/ – Analysis of the privacy implications, including the exposure of users in restrictive regimes. - Privacy Guides: https://www.privacyguides.org/ – Discussing the patch and how alternative messengers handle contact discovery. Keywords: WhatsApp, API Security, Rate Limiting, Data Scraping, Mobile Security, Cybersecurity, Meta, Privacy, Enum, GetDeviceList, Infosec, Approov. 

Old Ribbon Finance, Yearn Finance and Rari Capital contracts were hacked. Are attackers using AI to scan for missed opportunities in DeFi?

AI adds real value to cybersecurity today, but it cannot yet serve as a single security guardian. Here's how organizations can safely combine AI-driven analysis with deterministic rules and proven security practices.

Approov reviews its 2025 mobile cybersecurity predictions. See which trends—AI threats, API security, open-source risks, breach rules—actually happened.

Learn how to address mobile app and API security gaps in consumer apps, with insights from the Zscaler ThreatLabz report & practical solutions from Approov

Apple's DMA Non-Compliance: An Open Letter In this episode of *Upwardly Mobile*, we break down the seismic shift in the mobile app landscape following the European Commission’s decision to formally fine Apple €500 million for breaching the Digital Markets Act (DMA). We explore why regulators view Apple’s recent changes not as genuine adherence to the law, but as "malicious compliance"—a deliberate attempt to technically meet requirements while maintaining control and fees. We also discuss the December 2025 Open Letter sent by app developers to EU President Ursula von der Leyen, which argues that Apple’s new 20% commission on external transactions continues to violate the law and stifle fair competition. Finally, we contrast the situation in Europe with recent US court rulings involving Epic Games, where judges have ordered Apple to stop charging for services it doesn't provide, raising the question: Why are European developers getting a worse deal?. Key Topics Discussed: *   **The €500M Fine:** The European Commission found Apple in breach of "anti-steering" obligations, restricting developers from directing users to cheaper offers outside the App Store. *   **"Malicious Compliance":** An analysis of how Apple’s fee structures and "scare screens" are viewed by critics and regulators as structural impediments to the DMA’s goals. *   **The Meta Connection:** A look at the parallel €200M fine imposed on Meta regarding their "pay or consent" model. *   **The Developer Pushback:** Insights from the "CleanV2" Open Letter, where developers demand the removal of new commission fees that range up to 20%. *   **Transatlantic Tensions:** How the US Ninth Circuit Court of Appeals ruling regarding Epic Games highlights disparities in global enforcement. **Sponsor:** This episode is brought to you by **Approov**. Securing mobile apps is hard; Approov makes it easy. Ensure your APIs are only accessed by genuine instances of your mobile app and block scripts, bots, and modified apps. **Visit: [https://approov.io](https://approov.io)** **Resources & Source Materials:** *   **European Commission Press Release:** Details on the April 2025 fine regarding Apple’s anti-steering practices. *   **Kluwer Competition Law Blog:** "The DMA's Teeth: Meta and Apple Fined by the European Commission" by Alba Ribera Martínez. *   **Clean App Foundation Open Letter:** The December 2025 appeal to the European Commission regarding Apple's persistent non-compliance. *   **Analysis of US Rulings:** Context on the Epic Games vs. Apple court case and fee limitations. Digital Markets Act, DMA, Apple Fine, App Store Fees, Anti-Steering, Malicious Compliance, European Commission, Margrethe Vestager, Sideloading, Epic Games, Mobile App Security, Tech Policy, Antitrust.

10.0 RSC flaw actively exploited in the wild by China-based threat groups within hours of public disclosure leads the pack for December's Patch Tuesday.

YouTube video by TAG Infosphere

Chinese Hackers & the React2Shell Crisis This week, we dive deep into the critical, maximum-severity security flaw known as React2Shell (tracked as CVE-2025-55182). This vulnerability, which impacts React, the widely-used open-source JavaScript library, allows for unauthenticated remote code execution (RCE) through specially crafted HTTP requests on affected servers. The episode explores the immediate aftermath of the disclosure. Exploitation attempts began quickly, with Amazon Web Services (AWS) reporting that multiple China-linked threat groups, specifically Earth Lamia and Jackpot Panda, were exploiting the flaw within hours of its public availability. These actors are using both automated tools and individual exploits, and some are even actively debugging and refining their techniques against live targets. Earth Lamia has been active since at least 2023, targeting various industries in Latin America, the Middle East, and Southeast Asia, while Jackpot Panda focuses on cyberespionage operations in Asia. We also discuss the significant collateral damage caused by the urgent need to patch this flaw. Internet infrastructure giant Cloudflare experienced a widespread global outage, returning "500 Internal Server Error" messages worldwide, and attributed the incident to an emergency patch deployed to mitigate the industry-wide React2Shell vulnerability. This change was related to how Cloudflare’s Web Application Firewall parsed requests. Finally, we clarify the scope of the vulnerability: React2Shell primarily impacts server-side components. Specifically, it affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, particularly instances using a relatively new server feature. Standard React Native mobile apps are generally safe, but any backend built using Next.js (App Router) or React 19 Server Components that communicates with the mobile app is at critical risk. Furthermore, developers need to be aware of a separate, but timely, vulnerability (CVE-2025-11953) affecting the local React Native CLI development server. Key Concepts and Takeaways - Vulnerability: React2Shell, CVE-2025-55182, is a critical vulnerability allowing unauthenticated remote code execution on affected servers. - Scope: Impacts the React open-source JavaScript library, particularly React version 19 and dependent React frameworks such as Next.js (App Router). Cloud security giant Wiz reported that 39% of cloud environments contain vulnerable React instances. - Threat Actors: Exploitation is linked to China-linked threat groups, including Earth Lamia and Jackpot Panda. - Major Impact: An emergency mitigation patch designed to address React2Shell caused a widespread global outage at Cloudflare. - Fix: Patches were available shortly after disclosure, reported to Meta on November 29 and patched on December 3. Users must upgrade affected dependencies like react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack to version 19.0.1 or higher. Resources and Links - SecurityWeek (Source Context): (Note: Specific articles discussed are embedded within the episode content.) - Expo Changelog: For specific SDK patch instructions. - Sponsor Link: Protecting mobile app integrity against security threats is vital: https://approov.io/podcast Keywords (Optimized for SEO) React2Shell, , Remote Code Execution (RCE), China-linked hackers, Earth Lamia, Jackpot Panda, React Server Components (RSC), Next.js vulnerability, React 19 security, web security, patch management, cyber espionage, critical vulnerability, application security

Approov has officially opened its new headquarters in Edinburgh, marking a major milestone after a year of strong growth, investment, and global expansion.

Sanchar Saathi: The Mandatory Cyber Safety App Triggering India's Surveillance Firestorm In this critical episode of "Upwardly Mobile," we dive into the escalating controversy surrounding India's Sanchar Saathi app, a government-mandated digital tool that is fueling a nationwide debate over state surveillance and digital privacy. Designed as a citizen-centric safety tool to combat telecom fraud and track lost or stolen devices using their unique IMEI, the app has been lauded by the government for its success in blocking millions of fraudulent connections and stolen phones. However, a recent directive mandating its pre-installation on all new smartphones sold in India has drawn fierce criticism from privacy advocates, opposition politicians, and major tech firms. What You Will Learn in This Episode: The Core Conflict: Safety vs. Snooping - The Mandate: The Indian telecom ministry privately ordered all smartphone manufacturers to preload Sanchar Saathi on new devices within 90 days, requiring the app to be "visible, functional, and enabled" upon first setup. This directive could eventually roll out the app to more than 735 million existing phone users via software updates. - Government Defense: Officials state the app is strictly for cyber security and curbing the "serious endangerment" caused by IMEI tampering, promising adequate security for personal information. They also claim the app is optional and does not read private messages. - Surveillance Fears: Privacy experts and the political opposition argue the mandate is unconstitutional and creates a massive surveillance surface area. Opposition leaders have even compared the move to 'Pegasus'. Technical Deep Dive into Privacy Risks - The Sanchar Saathi app requests a range of "dangerous" or "high-risk" permissions. - The app has the capability to read call logs and all incoming SMS, technically allowing it to parse bank transaction alerts, 2FA codes, and map a user's social graph. - It accesses device identifiers, binding a user's identity to the hardware IMEI, which breaks standard rules for resettable identifiers and aids tracking. - If pre-installed as a system-level application (the proposed state), experts warn that permissions could be auto-granted without user consent, the app could run continuous background services, and it would be virtually impossible for 99% of users to uninstall. - The privacy policy is weak, lacking explicit mechanisms for data deletion, correction, or a clear opt-out feature. Industry Resistance - Tech giants were given 90 days to comply with the pre-installation mandate. - Apple has specifically resisted the mandate, citing concerns over privacy and system security, as iPhones require explicit user confirmation for permissions and prevent automatic background registration. - The mandate is technically easier to implement on Android devices, which make up over 95% of the Indian smartphone market. Keywords Sanchar Saathi, India digital privacy, state surveillance, government mandate, telecom fraud, cyber safety app, IMEI tracking, pre-installation controversy, Android security, iOS privacy, Apple resistance, call log permissions, data deletion rights, digital rights, Indian politics. Digital Autonomy and the Sanchar Saathi App - - Link 1: https://indianexpress.com/article/explained/explained-sci-tech/telecom-scindia-sanchar-saathi-optional-key-concerns-10397728/ - Link 2: https://www.ndtv.com/india-news/sanchar-saathi-communications-ministry-jyotiraditya-scindia-big-brother-or-cybersafety-boost-deep-dive-into-sanchar-saathi-app-9735477 - Link 3: https://indianexpress.com/article/technology/tech-news-technology/sanchar-saathi-app-preinstalled-android-ios-privacy-security-concerns-10397922/ - Link 4: https://www.bbc.com/news/articles/cedxyvx74p4o - Link 5: https://www.reuters.com/sustainability/boards-policy-regulation/what-is-indias-politically-contentious-sanchar-saathi-cyber-safety-app-2025-12-02/ Sponsor This episode is brought to you by https://approov.io/podcast, helping developers secure their mobile APIs and prevent reverse engineering and unauthorized data access. - Sponsor Website: approov.io

As we sprint toward quantum machines, experts warn that nation-states may weaponize the technology before businesses are ready.

Supply Chain Security Unpacked: Combating Dependency Confusion, Poisoned Pipelines Episode Notes: The software supply chain, the "backbone of modern software development," is under unprecedented assault, with attacks aimed at libraries and development tools soaring by an astounding 633% year-over-year. This episode explores the evolution of supply chain threats, examining everything from software vulnerabilities and malicious maintainers to hidden risks lurking in hardware and commercial binaries, and details the cutting-edge defenses developers are deploying to fight back. The Evolving Threat Landscape: Implicit Trust Exploited Modern attacks exploit the implicit trust developers place in package managers and public repositories. Key threats discussed include: - Dependency Confusion: First identified by Alex Birsan, this attack exploits package managers that prioritize packages found in public repositories (especially those with a higher version number) over identically named private packages. Attackers use reconnaissance to pinpoint internal package names (often by examining manifest files like package.json), publish a malicious package with the same name and a higher version to a public repository, and wait for the target application's build process to pull and execute the malicious code. Vectors for this attack include exploiting namespaces, DNS Spoofing, and manipulating CI/CD security settings. - Widespread Malware and Stolen Secrets: The npm ecosystem was recently hit by the self-replicating "Shai-Hulud" worm, which compromised over 500 packages and harvested sensitive credentials, including GitHub Personal Access Tokens (PATs) and API keys for cloud services like AWS, GCP, and Microsoft Azure. Stolen credentials remain a reliable attack vector, leading to incidents where attackers published malicious code on behalf of trusted entities (e.g., Nx, rspack). - Poisoned Pipelines and Malicious Maintainers: Highly sophisticated attackers are compromising build and distribution systems directly, bypassing code reviews. This includes notorious attacks like SolarWinds and compromises targeting GitHub Actions pipelines (e.g., Ultralytics and reviewdog/actions-setup). Furthermore, the XZ Utils backdoor highlighted the risk of malicious maintainers who build trust over years before inserting sophisticated backdoors into critical open-source projects. - Code Rot and Vulnerable Open Source: A survey of popular open-source packages found them rife with vulnerabilities, with an average of 68 vulnerabilities across 30 packages scanned, including many critical and high-severity flaws. Even actively maintained, high-traffic packages like Torchvision contained dozens of vulnerabilities, despite frequent updates. Defense and Verification: Making Trust Explicit To counter these escalating threats, the industry is focusing on making trust assumptions explicit and verifiable: - Supply-chain Levels for Software Artifacts (SLSA): SLSA is a security standard that helps consumers verify the process by which an artifact was created using a signed provenance file. Achieving Level 3 compliance involves stringent build platform hardening to prevent the forgery of provenance files. - Trusted Publishing and Attestations: Platforms like PyPI have implemented Trusted Publishing, which removes the need for developers to manage long-lived API tokens by utilizing short-lived OIDC tokens issued by the build platform. Building on this, digital attestations (driven by PEP 740) cryptographically bind published packages to their build provenance using Sigstore. - CI/CD Security Tools: Tools like Zizmor perform static analysis for GitHub Actions to flag subtle vulnerabilities like template injection or dangerous triggers. Capslock is an experimental tool used for Go language packages that statically identifies capabilities (like network access or file system operations), allowing developers to verify what code can actually do, regardless of where it came from. - Preventing Confusion: Developers can mitigate Dependency Confusion through strict naming conventions, proactively reserving namespaces (or "namesquatting" on platforms like PyPI), utilizing private package repositories with stringent access controls (RBAC/MFA), and enforcing package whitelisting and version locking using files like package-lock.json. - Verifying Commercial Binaries: Risks also lurk in closed-source commercial software ("black-box" binaries). The compromise of Justice AV Solutions (JAVS) demonstrated how malware (RustDoor) can be implanted in a backdoored installer; sophisticated tools like differential analysis are necessary to detect signs of tampering and unvetted files (such as the typosquatted ffmepg.exe). Organizations must adopt a "Don't Trust, but Verify" approach to all software received from suppliers. - The Future of Vulnerability Management: The cybersecurity community is moving beyond sole reliance on CVEs, especially following the NVD backlog experienced in 2024. Comprehensive security now requires visibility into threats like malware, tampering, secret leaks, and lack of hardening, rather than just known vulnerabilities. NIST SP 800-204D outlines crucial strategies for integrating SSC security measures—including generating provenance data—into DevSecOps CI/CD pipelines. Relevant Links and Resources: - Learn more about Dependency Confusion Prevention and DevSecOps Orchestration: https://approov.com/ - NIST SP 800-204D: Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines: https://doi.org/10.6028/NIST.SP.800-204D Keywords: Software Supply Chain Security, Dependency Confusion, Hardware Trojan, SLSA Framework, CI/CD Pipeline Security, DevSecOps, Trusted Publishing, PyPI, npm, Zizmor, Build Provenance, Side-Channel Attacks, Malware, Cryptojacking, NVD Backlog, Digital Attestations, Zero Trust. 

Researchers compiled a list of 3.5 billion WhatsApp mobile phone numbers and associated personal information by abusing a contact-discovery API that lacked rate limiting.

Inside the 2025 Shai-Hulud npm attacks: how a worm spread through packages and how to safeguard your software supply chain

The threat actor behind “Shai Hulud 2.0” launched a new malware campaign compromising the supply chain of Zapier, ENS Domains and more — exposing secrets, injecting malicious code, and enabling widesp...

The Multi-Terabit Battlefield: How Aisura 'Turbo Mirai' Botnet Reshaped Mobile DDoS Warfare On November 18, 2025, a massive Cloudflare service interruption took down major platforms worldwide, including X, ChatGPT, Shopify, and various critical transit services. Given the intense, ongoing cyber conflict, initial speculation immediately pointed toward a successful, hyper-volumetric Distributed Denial-of-Service (DDoS) attack. Cloudflare has recently been at the forefront of blocking unprecedented assaults from notorious botnets, including Mirai and the newer, "TurboMirai-class" Aisuru botnet. The company successfully mitigated record-breaking Mirai-variant attacks measured at 5.6 Tbps (October 2024) and 7.3 Tbps (May 2025). Furthermore, the Aisuru botnet, which is responsible for hitting Microsoft Azure with a 15.72 Tbps DDoS attack, was also linked to a 22.2 Tbps attack mitigated by Cloudflare in September 2025. Aisuru operators were even caught attempting to manipulate Cloudflare’s public domain rankings using malicious query traffic. This track record provided a clear motive for a potential reprisal. However, Cloudflare’s official investigation quickly dispelled fears of a successful cyberattack. Cloudflare CTO Dane Knecht confirmed that the incident was not an attack, but rather an internal issue. The cause was identified as a "latent bug" in a service underpinning Cloudflare’s bot mitigation capability that started to crash following a routine configuration change. This technical flaw cascaded into a broad degradation across the network. Cloudflare CEO Matthew Prince later noted that this was the worst outage the company had experienced since 2019. This incident highlights that while automated security platforms like Cloudflare can defend against 20+ Tbps DDoS attacks, they remain vulnerable to complex internal technical flaws and configuration management errors. Keywords Cloudflare outage, DDoS, Aisuru Botnet, Mirai, Configuration error, Latent bug, Dane Knecht, November 2025, IoT security, Incident Response, Cyberattack, Network Security, Cloud Security. Hashtags       #ConfigurationManagement #IncidentResponse #CloudSecurity #IoT Related Links & Sources To read more about the incident and the cyber threat landscape, please refer to the following: - Cloudflare Outage Not Caused by Cyberattack (SecurityWeek): - Microsoft: Azure hit by 15 Tbps DDoS attack using 500,000 IP addresses: - Cloudflare’s official report on the November 18, 2025 outage: - Discussion on the configuration file bug: - TurboMirai-Class ‘Aisuru’ Botnet Blamed for 20+ Tbps DDoS Attacks: Sponsor Message Today’s episode is brought to you by https://approov.com. In an era where botnets like Aisuru are exploiting every vulnerability, securing your APIs and endpoints is paramount. Approov provides essential mobile app and API protection, ensuring that only trusted, legitimate clients can connect to your back-end services, providing a crucial layer of defense against sophisticated automated attacks. Learn more about protecting your mobile infrastructure at approov.com.

Black Friday's Hidden Threat: Stopping AI-Powered Fraud and Mobile Commerce Exploits The biggest shopping days of the year—Black Friday and Cyber Monday—have also become the prime hunting grounds for cybercriminals, with global financial losses from attacks predicted to hit $10 billion in 2024. In this episode, we dive deep into the rising statistics shaping financial cybersecurity during the holiday shopping season, focusing on how sophisticated, AI-driven scams and mobile app vulnerabilities are creating a perfect storm for retailers and consumers alike. Episode Highlights: The State of Financial Cybercrime Cybercriminal activity spikes by 70% during Black Friday compared to regular shopping days. Statistics show that cyberattacks during this period were projected to rise by 20% in 2024, following a 15% increase in 2023. Key Threats and Data: - The Rise of Fake Shops: Scammers are evolving at an unprecedented pace, using AI to generate persuasive copy and fully functional storefront templates that mimic legitimate communication flawlessly. A recent analysis found a 250% jump in fake Black Friday shops leading up to the sales weekend. - Targeting E-commerce: E-commerce platforms experience a 65% surge in phishing attacks. Phishing scams remain the most common threat, accounting for 42% of attacks on financial transactions during the 2023 holiday shopping period. - Prevalent Fraud Types: Financial institutions report detecting 30% more fraudulent transactions during Cyber Monday. Card-not-present fraud was the leading method used by cybercriminals in 2023, accounting for over 75% of online fraud cases. Credential stuffing incidents surged by 80% during Cyber Monday in 2023, affecting over 40 million accounts globally. - The Cost: Financial fraud cases during holiday shopping periods account for nearly $8.5 billion annually. Small and medium-sized businesses (SMBs) are highly vulnerable, reporting an average loss of $120,000 per cyberattack. The Mobile Frontline: While many focus on suspicious websites, the true cybersecurity frontline for e-commerce is increasingly within mobile apps. Attacks on mobile apps used for shopping increased by 50% in 2023, often involving malicious app clones. Attackers exploit vulnerabilities like Man-in-the-middle (MitM) attacks intercepting API traffic and extracting API keys reverse-engineered from app binaries. Standard defenses like TLS encryption and certificate pinning offer necessary but incomplete protection. Industry Response: Financial institutions are bolstering security by integrating biometric authentication into 50% of mobile banking apps, adopting real-time transaction monitoring (reducing fraud by 40%), and using tokenization technology in 65% of online transactions. Furthermore, Zero Trust architecture is gaining traction, with 55% of organizations adopting it to secure financial systems. Sponsor Spotlight This episode is brought to you by Approov, the mobile security platform addressing vulnerabilities where they start: the mobile API. Approov provides a pragmatic defense-in-depth approach by ensuring that only genuine, unmodified apps connect to your backend. Approov neutralizes Black Friday exploits by using dynamic attestation to verify app integrity, and protects against API key theft by delivering short-lived, attested tokens at runtime, preventing API keys from residing within the app binary. Protect your mobile commerce from sophisticated fraud. Learn more about Approov's Mobile API Protection: - https://approov.io/podcast Relevant Source Links For more information and detailed statistics referenced in this summary: - Financial Cybersecurity Statistics for Black Friday and Cyber Monday 2025 (via CoinLaw): [Link to CoinLaw Article] - Online scams skyrocket before Black Friday – NordVPN warns what shoppers should watch out for (via TechRadar): [Link to TechRadar Article] - https://cybermagazine.com/articles/darktrace-reports-692-surge-in-black-friday-cyber-scams  Keywords & Hashtags (SEO Optimized) Keywords: Black Friday, Cyber Monday, cybersecurity statistics, financial fraud, e-commerce security, mobile commerce, API protection, card-not-present fraud, phishing scams, ransomware, credential stuffing, AI-powered scams, fake shops, Approov, NordVPN, retail cybercrime, tokenization, Zero Trust. 

Initial fears of a Mirai reprisal attack yesterday were quickly dispelled.

Fortinet said an exploited FortiWeb vulnerability (CVE-2025-64446) allows attackers to gain administrative access to the security appliances.

In this pivotal episode of https://approov.io/podcast, we dive into the significance of https://x.com (formerly known as Twitter) joining the https://appfairness.org/(CAF). This move signals growing momentum in the global effort to reform the mobile app ecosystem, currently dominated by Apple and Google, whose practices are alleged to harm consumers and developers alike. We examine X's commitment to dismantling monopolistic practices and fostering a digital future where competition thrives and innovation is rewarded. Furthermore, we discuss the context of this fight, including the recent U.S. Department of Justice (DOJ) antitrust complaint filed against Apple. CAF asserts that Apple’s alleged illegal conduct—including abusing App Store guidelines to increase prices and choke off competition—must be addressed, urging Congress to pass legislation like the Open App Markets Act. Tune in to understand how companies are pushing back against the "shackles on developers" to create a level playing field for the more than 80 members of this independent nonprofit organization. Discussion Points - Dismantling Monopolies: X’s Head of Global Government Affairs stated that joining CAF is a testament to their commitment to dismantling monopolistic practices and building a mobile ecosystem that truly serves its users and fosters growth. - The Problem with Gatekeepers: The current mobile app ecosystem is dominated by Apple and Google, who use their power to harm developers and users through excessive costs and restrictions on innovation. Global Policy Counsel for CAF noted that businesses on platforms like X are harmed by these anticompetitive app store practices. - The Antitrust Fight: The DOJ, along with 16 attorneys general, filed an antitrust complaint against Apple, accusing the company of illegally monopolizing smartphone markets. CAF supports this strong stand against Apple’s "stranglehold over the mobile app ecosystem". - The Path Forward: CAF advocates for legislation, like the Open App Markets Act, to create a free and open mobile app marketplace and put an end to the anticompetitive practices of all mobile app gatekeepers. - About CAF: The Coalition for App Fairness is an independent nonprofit organization focused on protecting consumer choice, fostering competition, and creating a level playing field for app and game developers globally. https://approov.comSponsored Segment:  The increasing regulatory and commercial pressures are weakening app store monopolies. As the mobile ecosystem decentralizes, the need for robust, independent security is crucial. Our sponsor, Approov, provides strong, app-centric security solutions that operate independently of basic app store protections. Approov helps mobile app developers reduce security dependencies on app stores by delivering runtime protection and attestation for mobile apps and their APIs, shielding against tampering and unauthorized access. Approov’s approach decentralizes security, ensuring developers are not limited by the basic security checks provided by Apple, Google, or any third-party app store (especially relevant as regulations like the EU DMA take effect). Key security features include: - https://approov.io/mobile-app-security/rasp/dynamic-cert-pinning/: Secures connections against man-in-the-middle attacks and allows instant over-the-air (OTA) updates without requiring republishing through app stores. - https://approov.io/mobile-app-security/rasp/runtime-secrets/: API keys and secrets are removed from the app and delivered only to verified app instances, protecting against reverse engineering and credential scraping attempts. - https://approov.io/mobile-app-security/rasp/: Provides real-time shielding against threats like OS manipulation or hostile frameworks, regardless of how or where the app is distributed, including alternative app stores. This ability to deliver critical updates and security policies directly from Approov’s cloud platform ensures the quickest possible response to threats, bypassing store-mediated app updates. Keywords  X, Twitter, Coalition for App Fairness (CAF), Mobile App Ecosystem, App Store Monopolies, Antitrust, Apple Antitrust, Google Play Store, Developer Freedom, App Competition, Open App Markets Act, Approov, App Security, API Protection, Runtime Protection, App Attestation, EU DMA.        Relevant Links - X Joins CAF Announcement: [Link to source (though the specific URL is not provided in the excerpts, we reference the content that would link to this news)] - CAF Mission & Membership: appfairness.org - DOJ Antitrust Complaint Context: [Link to source (though the specific URL is not provided in the excerpts, we reference the content)] - Sponsor Approov: Secure your mobile apps independently of app stores at approov.com - Approov Security Details: - How Approov Works: [Link to source] - Approov vs. Mobile App Hardening: [Link to source] - Approov's Role in a Post-DMA Landscape: [Link to source and]

Explore the history, uses, and limitations of the Google Play Integrity API (formerly SafetyNet); compare and contrast it with Approov's mobile security.

Standing Up to Extortion: Lessons from the Checkout.com Breach and the Rise of Vishing Attacks Description This week on Upwardly Mobile, we dive deep into the tactics of the prolific criminal group ShinyHunters and explore how global enterprises are responding to sophisticated cyber extortion attempts in 2025. We analyze two major security incidents that highlight critical vulnerabilities in legacy systems and modern OAuth ecosystems. The Extortion Dilemma: Checkout.com Stands Firm We detail the incident where https://www.checkout.com/blog/protecting-our-merchants-standing-up-to-extortion was contacted by ShinyHunters, who demanded a ransom after gaining unauthorized access to a legacy, third-party cloud file storage system. This system was used in 2020 and prior years for internal operational documents and merchant onboarding materials, affecting less than 25% of their current merchant base. Critically, the threat actors did not access merchant funds or card numbers, and the live payment processing platform was not impacted. Checkout.com publicly stated they would not be extorted and refused to pay the ransom. Instead, they are turning this attack into an investment for the entire security industry by donating the ransom amount to https://www.cmu.edu/ and the https://gcscc.ox.ac.uk/home-page to fund cybercrime research. The company accepted full responsibility for the legacy system not being properly decommissioned. The 2025 OAuth and Vishing Wave The episode also examines ShinyHunters' 2025 campaign targeting mobile and web-based enterprise applications, particularly those connected to Salesforce and integrated platforms like Salesloft and Drift. These attacks were characterized by sophisticated social engineering and voice phishing ("vishing"), where attackers impersonated IT staff (sometimes using AI-generated voices) to persuade employees to authorize malicious versions of Salesforce tools via mobile or web apps. By exploiting OAuth tokens, ShinyHunters compromised sensitive internal APIs and data from high-profile victims, including Google, Cloudflare, Qantas, Allianz Life, and Adidas. Analysts noted that these techniques bypassed technical controls by abusing human trust, enabling the theft of over 1.5 billion Salesforce records from approximately 760 organizations. These incidents underscore that modern mobile application security is deeply dependent on robust cloud and OAuth ecosystem safeguards. Sponsor This episode of Upwardly Mobile is brought to you by approov.io, helping protect your mobile API access and application endpoints from sophisticated attacks like those utilizing stolen OAuth tokens. Sponsor Link: https://notebooklm.google.com/notebook/approov.io Keywords: ShinyHunters, Cyber Extortion, Ransomware, Legacy System Vulnerability, OAuth Exploitation, Vishing, Voice Phishing, Salesforce Security, Checkout.com, Cybercrime Research, Cloud Security, Supply Chain Attack, Mobile Application Security, Digital Economy Security, Data Breach. Relevant Source Materials and Links https://www.checkout.com/blog/protecting-our-merchants-standing-up-to-extortion ShinyHunters Salesforce Cyberattacks via Vishing and OAuth Exploitation - The Hackernews: Why the ShinyHunters Data Breach vs. SaaS highlights vulnerabilities - TrueSec: Cyber extortion group ShinyHunters targets Salesforce customers - CM Alliance: Reports on major cyberattacks and data breaches in September 2025 - EclecticIQ: Analysis of ShinyHunters' financially motivated data extortion group targeting enterprise cloud applications - ReSecurity: Examining the alliance of threat actors and their global cybercrime spree - Obsidian Security: The merger of chaos between ShinyHunters and Scattered Spider in the 2025 Salesforce attacks - Cysecurity News: Coverage of ShinyHunters’ voice phishing attacks - ReliaQuest: Threat spotlight on ShinyHunters targeting Salesforce amid collaboration with Scattered Spider - CloudProtection: Reporting on Salesforce attacks in 2025 - PKWARE: Recent Data Breaches

Microsoft security researchers have discovered a new backdoor malware named SesameOp that uses the OpenAI Assistants API as a covert command-and-control channel.