Unpacking the WestJet Cyberattack | Mobile App Security and Aviation Threats

Join us on "Upwardly Mobile" as we dissect the significant WestJet cyberattack, an incident that brought to light critical vulnerabilities in mobile application security and backend systems within the aviation sector. Episode Overview: The WestJet cyberattack, reported on June 14, 2025, caused disruptions to the airline's mobile application and select internal systems, though flight operations remained unaffected. This incident underscores an often-overlooked area of vulnerability where protections for user devices by companies like Apple and Google don't fully extend to how apps communicate with their servers.

Key Discussion Points:

• The Attack Vector: The incident likely exploited weaknesses in backend APIs, a common tactic among experienced cybercriminals, similar to the Hawaiian Airlines attack. Preliminary evidence suggests the use of the known vulnerability CVE-2023-12345, which affects parameter handling in mobile application backends. Threat actors also potentially used targeted spear-phishing campaigns to compromise employee credentials, aligning with the MITRE ATT&CK technique T1566 – Phishing.
• Affected Systems: The attack directly impacted the WestJet Mobile App version 4.5.2 (the frontline consumer interface) and its accompanying API Backend version 1.8.9. Internal systems, including Oracle Database 19c (storing customer profiles and booking details) and Windows Server 2019 infrastructures, were also compromised.
• Adversary Tactics: Forensic analysis indicates advanced exploitation methods, potentially involving custom scripts for lateral movement (T1059 – Command and Scripting Interpreter) and remote access tools. The sophistication of techniques and the dual targeting of customer-facing and internal infrastructures suggest a well-planned campaign by an organized group with expertise in the aviation sector, possibly using advanced exploit frameworks like Cobalt Strike.
• Impact and Consequences: Beyond immediate service disruptions, the attack poses significant risks to customer confidence and operational continuity. There's a consequential risk of data exfiltration, intellectual property compromise, and potential fraudulent activities due to unauthorized access to sensitive internal information and customer profiles. The incident also elevates the risk profile for supply chain partners and third-party vendors.
• Recommendations for Enhanced Security: Immediate actions include urgent patch management for vulnerabilities like CVE-2023-12345, extending multi-factor authentication (MFA) across all sensitive internal systems, and revising incident response protocols. Organizations should also enhance email filtering, deploy advanced threat detection systems like CrowdStrike Falcon and Cisco Secure Endpoint, and implement network segmentation to contain lateral movements. Theodore Miracco, CEO of Approov Mobile Security, emphasizes the critical need to address these overlooked vulnerabilities.

Relevant Links to Source Materials:

• WestJet Cyberattack Report: In-Depth Analysis of the WestJet Mobile App Breach and Internal System Vulnerabilities by Rescana: https://www.rescana.com/post/westjet-cyberattack-report-in-depth-analysis-of-the-westjet-mobile-app-breach-and-internal-system-v
• Reuters Report on WestJet Incident: https://www.reuters.com/sustainability/boards-policy-regulation/westjet-probes-cybersecurity-incident-affecting-app-internal-systems-2025-06-14/
• WestJet's Official Advisory: https://www.westjet.com/en-ca/news/2025/advisory--cybersecurity-incident-
• MITRE ATT&CK Framework: https://attack.mitre.org
• CrowdStrike: https://www.crowdstrike.com
• Mandiant: https://www.mandiant.com
• Approov Mobile Security: www.approov.io 

Sponsor: This episode is brought to you by Approov Mobile Security. Learn how they protect mobile apps and their APIs at: approov.io Keywords: WestJet, cyberattack, mobile app security, aviation security, API vulnerabilities, spear-phishing, data breach, cybersecurity, incident response, digital threat, airline security, MITRE ATT&CK, CVE-2023-12345, Oracle Database, Windows Server, network security, supply chain risk, critical infrastructure. 

🎙️ Upwardly Mobile is hosted by Skye Macintyre & George McGregor. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast

Unpacking Apple's EU App Store Overhaul: Fees, Fines, and the Fight for DMA Compliance

Join us on "Upwardly Mobile" as we dive deep into Apple's latest App Store changes in the European Union, a direct response to the stringent Digital Markets Act (DMA). Faced with a hefty €500 million (about $570 million) penalty from the EU for "anti-steering" practices, Apple has introduced a complex new fee structure that's shaking up the mobile app ecosystem. What You'll Learn in This Episode:

• The New Tier System for Store Services Fees: Discover how Apple's new two-tier system impacts developers. Tier 1 offers basic App Store features for a 5 percent commission, while Tier 2 provides full access at a 13 percent commission. We'll discuss what features are missing from the cheaper tier, including automatic app updates and promotional tools.
• Introducing the Core Technology Commission (CTC): Understand Apple's new 5 percent commission on outside purchases made in apps distributed on the App Store. This fee is set to transition from the previous Core Technology Fee (CTF) by January 1, 2026, becoming a "single business model" for EU developers and applying to digital goods and services sold across the App Store and alternative marketplaces. The EU has previously ruled that the CTF was not "necessary and proportionate".
• The DMA's Impact and Anti-Steering Rules: We break down how the DMA forced Apple to allow developers more choices in app distribution and promotion, specifically ending prohibitions on "steering" users to cheaper alternatives outside the App Store. This comes after a US court order, stemming from the Epic Games lawsuit, also prevented Apple from taking commission on purchases made outside the App Store in the US.
• The "Malicious Compliance" Debate: We explore the significant criticism Apple faces for its DMA compliance, with many, including Epic Games CEO Tim Sweeney and Spotify, accusing them of "malicious compliance"—adhering to the letter but not the spirit of the law. Critics argue Apple's changes still create barriers to competition.
• Apple's Defense and Ongoing Scrutiny: Despite the criticism and fines, Apple maintains it has taken significant steps to open its ecosystem and is appealing the EU's penalty. The European Commission is currently assessing these new changes to determine if they are fully compliant with the DMA.

Don't miss this essential episode to understand the shifting landscape of app development and distribution in Europe!

 Reading & Resources:

• Apple overhauls EU App Store rules following penalty (Link to The Verge article)
• Apple reveals complex system of App Store fees to avoid EU fine of 500 million euro (Link to CNBC article)
• Updates for apps in the European Union (Link to Apple Developer news)
• Apple's DMA developer support page and Compliance Report (Link to Apple's official DMA info)
• Alternative Terms Addendum for Apps in the EU and StoreKit External Purchase Link Entitlement Addendum for EU Apps (Links to Apple's legal terms)

Sponsor Message: This episode of "Upwardly Mobile" is brought to you by Approov. In a world of evolving mobile threats, Approov provides advanced mobile app shielding and API protection to keep your apps and APIs secure from bots and malicious attacks. Ensure your mobile transactions are safe and sound. Learn more at www.approov.io.

🎙️ Upwardly Mobile is hosted by Skye Macintyre & George McGregor. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast

Why the Open App Markets Act Matters

Episode Notes:Join us on "Upwardly Mobile" as we delve into the critical issue of how Apple and Google's dominant control over the mobile app ecosystem is stifling innovation in mobile app security and potentially increasing long-term consumer cyber risk. While both companies, especially Apple, are currently seen as doing a "reasonable job" with cybersecurity within their closed environments, experts warn that this "monoculture protection" is not sustainable against evolving threats from nation-states, criminal groups, and AI.The Problem with App Store Monopolies: The core argument is that monopolistic behavior naturally suppresses innovation because there's little fear of competition. This has led to a situation where innovative mobile app security startups are struggling to achieve the growth and valuations seen in other cybersecurity sectors like cloud and API security, despite the central role mobile apps play in our daily lives. This concentration of security responsibility with just two companies puts all our "defensive eggs into one basket".A prime example is Google Mobile Services (GMS), which maintains a strong hold on Android mobile apps, making it difficult for external security vendors to compete effectively. The sources highlight that Apple and Google's solutions are specific to their closed ecosystems, lacking incentive for crucial cross-platform security initiatives.The Solution: The Open App Markets Act (OAMA) The bipartisan Open App Markets Act was introduced by U.S. Senators Marsha Blackburn, Richard Blumenthal, Mike Lee, Amy Klobuchar, and Dick Durbin to address these concerns. This landmark legislation aims to set fair, clear, and enforceable rules to promote competition and strengthen consumer protections within the app market by curtailing Apple and Google's "gatekeeper control".

Key Provisions of OAMA:

• Protecting Developer Rights: Developers would be empowered to inform consumers about lower prices and offer competitive pricing outside the app stores, without fear of penalty from Apple or Google.
• Enabling Sideloading & Third-Party App Stores: The Act would make it easier for users to install apps from sources other than the official app stores, and to choose third-party app stores as their default.
• Promoting Alternative Payment Systems: It seeks to open the market to alternative in-app payment systems, reducing the reliance on Apple and Google's own payment processors and their significant commission fees (often 15-30%).
• Preventing Self-Preferencing: It would stop app store owners from "unreasonably" favoring their own apps in search results or using private data from third-party apps to develop competing products.
• Granting Consumer Control: Users would gain greater control over their devices, including the ability to choose third-party apps as defaults and uninstall preinstalled apps.
• Security & Privacy Safeguards: The bill includes provisions allowing app stores to take actions "necessary to achieve user privacy, security, or digital safety," provided these actions are applied consistently and are narrowly tailored.

Support & Criticisms:

The Open App Markets Act has garnered strong support from numerous technology and consumer groups, including Spotify, Epic Games, the American Economic Liberties Project, and the Coalition for App Fairness, all advocating for a fairer, more competitive marketplace. They argue it will lead to lower prices, more innovation, and increased consumer choice.However, Apple and Google are predictably opposed, raising concerns about potential security risks associated with opening up their platforms to sideloading and alternative app stores. There are also ongoing debates about whether the bill could inadvertently affect content moderation by potentially penalizing companies for exercising editorial judgment.Recommendations for Moving Forward: Beyond legislation, the authors of "Apple and Google are Suppressing Innovation in Mobile App Security" offer concrete recommendations for Apple and Google to foster a healthier mobile app security ecosystem:

1. Facilitate Third-Party Security Vendors: Open their ecosystems to third-party mobile app security solutions through certification and partnership models.
2. Incentivize Developers: Financially reward developers who invest in robust security measures, potentially through reduced commission rates.
3. Adopt Open Standards: Transition to widely recognized open standards for mobile app security evaluation, such as those developed by OWASP, and extend this to mobile payment systems.

These steps are crucial to ensure that the rapid evolution of cyber threats is met with equally rapid and diverse innovation, protecting consumers and society at large from future mobile app breaches.Sponsor: This episode is brought to you by Approov. Learn more about their cutting-edge mobile app and API shielding security solutions at www.approov.io.


Keywords: Mobile app security, Apple App Store, Google Play Store, monopoly, innovation, competition, Open App Markets Act, OAMA, sideloading, third-party app stores, alternative payment systems, cybersecurity threats, consumer protection, developer rights, digital economy, antitrust, tech regulation, privacy, OWASP, GMS.

• Approov: https://www.approov.io/
• TAG Infosphere: https://www.tag-infosphere.com/
• NYU Center for Cybersecurity (CCS): https://cyber.nyu.edu/
• DOJ lawsuit against Apple monopoly: https://www.theverge.com/2024/3/21/24105363/apple-doj-monopoly-lawsuit
• Wired on Google's app store monopoly being ruled illegal: https://www.wired.com/story/googles-app-store-monopoly-ruled-illegal-jury-epic/
• DOJ report on AT&T divestiture: https://www.justice.gov/archives/atr/att-divestiture-was-it-necessary-was-it-success
• Apple's Platform Security: https://www.apple.com/business/docs/site/AAW_Platform_Security.pdf
• Google's Cybersecurity Story: https://safety.google/stories/micklitz-pietraszek/
• NowSecure on mobile app breaches: https://www.nowsecure.com/mobile-app-breach-news/
• OWASP® Foundation: https://owasp.org/www-project-mobile-top-10

• Spotify vs. Apple commission fees: https://forums.appleinsider.com/discussion/233654/spotify-speaks-out-against-apples-30-commission-fee-again
• Epic Games vs. Apple App Store saga: https://appleinsider.com/articles/20/08/23/apple-versus-epic-games-fortnite-app-store-saga-the-story-so-far
• Cybersecurity startup valuations: https://www.finrofca.com/news/cybersecurity-startups-valuation-and-multiples-2024
• GMS vs. Non-GMS Android apps: https://emteria.com/blog/gms-vs-non-gms/
• Epic vs. Google trial verdict: https://www.theverge.com/23994174/epic-google-trial-jury-verdict-monopoly-google-play

• Huawei revenue despite US sanctions: https://www.cnet.com/tech/mobile/huaweis-2023-revenue-soars-despite-us-sanctions/
• Xiaomi: https://www.mi.com/us/

🎙️ Upwardly Mobile is hosted by Skye Macintyre & George McGregor. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast

The 16 Billion Password Leak: Securing Your Digital Footprint

Episode Notes:
In this crucial episode of "Upwardly Mobile," we delve into the recent confirmation of what researchers believe is the largest password leak in history, exposing an astounding 16 billion login credentials [1-4]. This "mother of all leaks" involves a vast number of compromised records, with researchers discovering "30 exposed datasets containing from tens of millions to over 3.5 billion records each" [3, 4].

Understanding the Massive Breach:
• Scope of Compromise: The leaked data includes billions of login credentials from social media, VPNs, developer portals, and user accounts for major vendors like Apple, Facebook, and Google, as well as GitHub, Telegram, and various government services [4-8].
• Nature of the Data: Researchers have stated that the information contained is "fresh, weaponizable intelligence at scale" and not merely recycled old breaches [6, 9]. It often includes a URL, login details, and a password, opening the door to "pretty much any online service imaginable" [6, 7].
• Cause of the Leak: While the 16 billion strong leak is primarily attributed to multiple infostealers [2, 10], experts also highlight how easily sensitive data can be unintentionally exposed online, such as in misconfigured cloud environments [11, 12].
• Clarification on Company Breaches: Cybersecurity researcher Bob Diachenko clarified that there was "no centralized data breach at any of these companies" like Apple, Facebook, or Google. Instead, the credentials were found in infostealer logs containing login URLs to their pages, making password reuse across services a significant risk [13].
• The Danger: This leak is described as "a blueprint for mass exploitation" and "ground zero for phishing attacks and account takeover" [6, 7, 9]. Stolen passwords are readily available on the dark web for purchase by malicious actors, leading to identity theft, fraud, and blackmail [8, 14-16].
Essential Steps to Protect Your Digital Life:
• Change Passwords: It is highly recommended to change your account passwords, especially if you have ever reused any credentials across more than one service [17, 18].
• Embrace Passkeys: Transitioning to passkeys wherever possible is crucial. Passkeys are significantly more secure than traditional passwords, often leveraging factors like face or fingerprint recognition, and are gaining adoption by major tech companies like Apple, Facebook, and Google [1, 14, 17, 19].
• Use Password Managers: Invest in and utilize password management solutions to generate and securely store unique, strong passwords for all your online accounts [17, 20, 21].
• Implement Multi-Factor Authentication (MFA): Enable MFA on all your accounts as an additional layer of security beyond just a password [21, 22].
• Utilize Dark Web Monitoring Tools: These tools can alert you if your passwords have been exposed online, enabling you to take immediate action [20, 21].
• Avoid Password Reuse: This is a critical security practice; never use the same password across multiple websites. If one account is compromised, attackers can gain access to others where the password has been reused [18, 23].

How Organizations Can Strengthen Their Defenses:

This episode is proudly brought to you by Approov, a key player in API security, providing robust protection against threats stemming from compromised credentials [24]. Approov enhances security by establishing a layered model that makes compromised credentials insufficient for attackers to access protected APIs [25]:
• App Instance Authentication: Approov verifies that only genuine, untampered versions of your mobile app can communicate with your backend APIs [24].
• Defense Against Credential Stuffing: Attacks relying on stolen credentials are thwarted unless the request originates from a validated app environment [26].
• Mitigating Bot and Script Attacks: Traffic from automated login attempts using breached credentials is detected and prevented [26].
• API Key and Secrets Protection: Secrets like API keys are delivered at runtime only to verified apps, ensuring they are never hardcoded or exposed in the app binary [27].
• Short-Lived Tokens and Pinning: Approov uses short-lived JWT tokens and TLS certificate pinning to secure data in transit and prevent Man-in-the-Middle (MitM) attacks [27].
• Granular Security Policies: Security policies can be dynamically updated to revoke access for specific devices or app versions, allowing immediate response to suspected compromises without needing an app update [25].
Approov empowers organizations to "limit risk by ensuring access to sensitive systems is always authenticated, authorized and logged," regardless of where the data resides [20]. Discover more about their solutions at approov.io.
**The Debate on Shared Responsibility:**The massive leak underscores that cybersecurity is a shared responsibility [12, 21, 22]. However, some experts, like Paul Walsh of MetaCert, argue that user education has been ineffective for over a decade, questioning how users can be expected to spot threats that security providers themselves cannot [28]. Regardless of the debate, organizations must do their part in protecting users, and individuals must remain vigilant [21, 22].
--------------------------------------------------------------------------------

Relevant Links to Source Materials:
• "16 Billion Apple, Facebook, Google And Other Passwords Leaked" by Davey Winder (Forbes) [1-3, 5, 6, 10, 11, 13-15, 17, 19, 20, 22, 23, 28-31]
• "16 billion Google, Apple, other passwords leaked: What to know" by Ben Cost (New York Post) [4, 7-9, 12, 16, 18, 21, 32-36]
• "Approov: Defending APIs Against Credential Breaches" (Approov) [24-27]
Sponsor: Approov – approov.io

Keywords:
16 billion password leak, data breach, cybersecurity, password security, passkeys, online security, Apple, Google, Facebook, infostealers, account takeover, phishing attacks, dark web, API security, Approov, zero-trust, multi-factor authentication, digital footprint, personal data protection, identity theft, cybercrime, security tips, data privacy.


🎙️ Upwardly Mobile is hosted by Skye Macintyre & George McGregor. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast

FDA Regulation and Cybersecurity for Life-Critical Health Apps

Welcome to "Upwardly Mobile," the podcast exploring the intersection of mobile technology, health, and regulation. In this episode, we dive deep into the world of Mobile Medical Apps (MMAs), understanding how the FDA ensures their safety and effectiveness, and why cybersecurity is absolutely non-negotiable in this rapidly evolving landscape.

What You'll Learn:
• The Rise of mHealth: Mobile health (mHealth) apps are revolutionizing healthcare, empowering patients with personalized monitoring, tracking, and therapeutic support1. The regulated medical apps market is projected to reach a staggering $156 billion by 20331.
• Understanding FDA Oversight: The U.S. Food & Drug Administration (FDA) plays a critical role in overseeing device software functions, including mobile medical apps2. Their focus is on software that presents a significant risk to patients if it fails, or software that transforms a mobile platform into a regulated medical device2....
• Defining Mobile Medical Apps: An app is classified as a mobile medical app if it meets the definition of a device under section 201(h) of the FD&C Act, meaning it's intended for use in the diagnosis, cure, mitigation, treatment, or prevention of disease, or to affect the body's structure or function3.... Examples include apps that control medical devices, transform a phone into a diagnostic tool (like an ECG reader or glucose meter), or provide treatment recommendations58.
•
FDA's Risk-Based Approach: The FDA applies a risk-based approach, focusing its oversight on higher-risk software functions that require formal review910. However, for many low-risk apps—such as those that help users self-manage conditions without providing specific treatment suggestions, or automate simple tasks for healthcare providers—the FDA intends to exercise enforcement discretion, meaning they won't typically require premarket review. The FDA does not regulate general consumer smartphones, tablets, or mobile app stores.

• The Criticality of Cybersecurity: For any medical device, including mobile medical apps, cybersecurity is paramount for safety and effectiveness14. As Jessica Wilkerson, a Senior Cybersecurity Policy Advisor at the FDA, emphasizes, "You cannot have a safe and effective device if you don’t have a cybersecure device"414. Mobile app security vulnerabilities pose significant risks, including patient harm, data breaches, privacy compromises, legal consequences, and damage to brand reputation15.

• Emerging Threats and Weaknesses: The mobile medical ecosystem faces serious threats like Man-in-the-Middle (MitM) attacks, which can falsify data or steal protected health information (PHI)16. Runtime tampering using tools like Frida or Xposed allows attackers to modify app behavior, bypass protections, or extract sensitive data17. Common weaknesses found in mHealth apps include static API keys, lack of app attestation, weak runtime protection, and insufficient certificate pinning1819.

• Best Practices for Secure Mobile Medical Apps: To combat these threats, robust security measures are essential. These include App Attestation to ensure only legitimate apps access APIs, Runtime Threat Detection to identify hooking or emulation, Dynamic Secrets and Token Protection to prevent credential exposure, API Hardening, and MitM Mitigation through dynamic certificate pinning1920.

• Industry Insights on Security Gaps: A NowSecure benchmark report revealed that an alarming 95% of healthcare apps failed one or more OWASP Mobile Application Security Verification Standard (MASVS) checks, highlighting widespread issues like insecure network connections, insecure platform interaction, and insecure code quality2122. This underscores the urgent need for developers to adopt secure coding practices and perform continuous security testing22.
Relevant Links & Resources:

• FDA Official Guidance:
◦ Device Software Functions Including Mobile Medical Applications: https://www.fda.gov/medical-devices/digital-health-center-excellence/device-software-functions-including-mobile-medical-applications2324
◦ Policy for Device Software Functions and Mobile Medical Applications - Guidance: https://www.fda.gov/regulatory-information/search-fda-guidance-documents/policy-device-software-functions-and-mobile-medical-applications2526
• FDA Regulation: Ensuring the Safety & Security of Medical Mobile Apps (NowSecure): https://www.nowsecure.com/blog/2024/05/01/fda-regulation-ensuring-the-safety-security-of-medical-mobile-apps/2728

Sponsor Message:
This episode of "Upwardly Mobile" is brought to you by Approov. Approov provides a cutting-edge zero-trust security layer specifically designed for mobile-connected environments, including sensitive digital health applications. They help ensure that only trusted, untampered apps running in secure environments can access your critical APIs, protecting patients, preserving intellectual property, and aiding manufacturers in meeting stringent healthcare compliance needs like HIPAA and GDPR29.... To learn more about securing your mobile medical ecosystem, visit approov.io.

Keywords:
Mobile Medical Apps, FDA Regulation, mHealth, App Security, Cybersecurity, Patient Safety, Medical Devices, Digital Health, Mobile App Development, Healthcare Technology, Compliance, API Security, Data Privacy, OWASP, Runtime Protection, App Attestation, Certificate Pinning.

🎙️ Upwardly Mobile is hosted by Skye Macintyre & George McGregor. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast

GodFather Malware: The Virtual App Deception You Won't See Coming

Episode Notes:
GodFather Malware's Stealthy Installation & Virtualization Attack In this episode of "Upwardly Mobile," we dive deep into the sophisticated threat posed by the GodFather Android malware, a dangerous new version that's hijacking legitimate mobile applications, especially banking and cryptocurrency apps, by turning your own device into a spy. We'll uncover its deceptive installation methods and its advanced on-device virtualization technique that makes it nearly impossible to detect visually. How GodFather Malware Gets Installed: Beyond the Play Store The GodFather malware doesn't come from the official Google Play Store. Instead, it gets installed through a highly deceptive process that begins with users downloading malicious applications from phishing sites. This is a prime example of sideloading – installing apps from unofficial channels. Here’s a breakdown of its cunning installation tactics:

• Initial Access via Phishing: Adversaries host phishing sites where users are lured into downloading these malicious applications.
• Deceptive Installation Technique: The malware uses a session-based installation technique to deploy its actual payload, specifically designed to bypass accessibility permission restrictions.
• Luring Victims with False Promises: During installation, it presents a message stating, "You need to grant permission to use all the features of the application." This is a calculated tactic to trick users into unknowingly installing the malware.
• Hidden Payload and Permission Escalation: The core malicious payload is concealed within the assets folder of the deceptive application. Once a victim falls for the trick and grants initial accessibility permissions, GodFather can then covertly grant itself additional permissions by overlaying content on the screen, all without the user's awareness or consent.
• Masquerading: To avoid detection, the malware often masquerades as a genuine Music application.

The Virtualization Trick: Running Real Apps in a Sandbox Forget fake login screens – GodFather's new upgrade leverages on-device virtualization. Instead of just showing a deceptive image, the malware installs a hidden "host app" that runs a real copy of your banking or crypto app inside its own controlled sandbox. When you try to open your actual app, the malware seamlessly redirects you to this virtual version. This technique offers significant advantages to attackers:

• Real-Time Monitoring and Control: The malware monitors and controls every action, tap, and word you type in real time, making it nearly impossible to notice anything amiss since you're interacting with the actual app.
• Data Theft and Account Takeover: This allows attackers to steal usernames, passwords, and device PINs, ultimately gaining complete control of your accounts. It can intercept sensitive data as you enter it and even modify app behavior to bypass security checks like root detection.
• Mimicking & Interception: GodFather first scans for apps on your device, compares them against a list of targeted apps (which numbers nearly 500 globally). If a targeted app is found, it creates a virtualized version. It can also steal device lock credentials (PIN, pattern, password) using deceptive overlays.
• Remote Control: The malware can even remotely control an infected device using various commands, allowing hackers to commit real-time fraud without your knowledge.

Evasive Maneuvers and Global Targets While GodFather employs its advanced virtualization, it also continues to use traditional overlay attacks. It has a broad reach, targeting 484 applications globally, including major global services for payments, e-commerce, social media, communication, and a vast array of cryptocurrency exchanges and wallets. The highly sophisticated virtualization attack is currently focused on 12 specific Turkish financial institutions. The malware uses clever tricks to avoid detection, such as tampering with APK file structures to make them appear encrypted, adding misleading information, and shifting harmful code to the Java layer. It also hides critical information, like its command and control (C2) server details, in an encoded form. Protecting Yourself from Advanced Mobile Malware While this upgraded version of GodFather has primarily targeted Turkish Android users so far, the threat could easily expand globally. Here are essential steps to protect your Android smartphone and financial data:

• Disable Unknown Sources: The easiest way to stop GodFather and similar malware is to turn off your Android smartphone's ability to install apps from unknown sources. This feature is disabled by default, but if you've enabled it, turn it off immediately.
• Be Wary of Downloads: Exercise caution with files sent via email or social media, as they can contain malware.
• Enable Google Play Protect: Ensure Google Play Protect is enabled on your smartphone, as it can scan existing and new apps for malware. Consider an Android antivirus app for additional protection.
• Limit App Installations: Reduce your risk by limiting the number of apps installed on your phone. Delete unused apps and question whether you truly need a new app before installing it.
• Keep Your OS Updated: Always update your Android smartphone as soon as new software becomes available. These updates often include critical security patches.

How Approov Can Help Companies like Approov offer robust defenses against such sophisticated threats. Approov already has detections for protected apps running inside cloner apps, which share similarities with GodFather's virtualization technique. App attestation combined with RASP (Runtime Application Self-Protection) defenses can be used to defend against these attacks. While the "cat and mouse" game continues, solutions like Approov aim to detect when protected apps are run in compromised environments, helping to safeguard sensitive data. For more information on how to protect your mobile apps and APIs, visit our sponsor: approov.io

Keywords: GodFather malware, Android malware, mobile banking security, cryptocurrency app security, virtualization attack, sideloading, phishing, mobile security, app attestation, RASP, Google Play Protect, cybercrime, data theft, credential stealing, cloner app, Android security, Zimperium, Approov, mobile app hijacking, advanced persistent threat. 

🎙️ Upwardly Mobile is hosted by Skye Macintyre & George McGregor. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast

Protecting Your Crypto Wallets from Deceptive Apps

A critical cybersecurity threat that has impacted cryptocurrency users on the Google Play Store. In this episode of Upwardly Mobile, we uncover the alarming findings by Cyble Research and Intelligence Labs (CRIL), who identified over 20 malicious applications actively targeting crypto wallet users [1-4].

Key Discoveries and Threat Tactics:
• These deceptive apps impersonate legitimate and popular crypto wallets such as SushiSwap, PancakeSwap, Hyperliquid, and Raydium [2-4]. They even use the icons of legitimate wallets to trick victims into trusting them [5].
• Once installed, the apps prompt users to enter their 12-word mnemonic phrases to access fraudulent wallet interfaces [2, 3, 6]. This highly sensitive information is then used by threat actors to access real wallets and drain cryptocurrency funds, leading to irreversible financial losses, as cryptocurrency transactions are not easily reversible [3, 7-9].
• The malicious apps are distributed through the Play Store under compromised or repurposed developer accounts [2-4]. Some of these accounts previously hosted legitimate apps and had amassed over 100,000 downloads, suggesting they were compromised to distribute these new malicious applications [8, 10].
• Threat actors employ consistent patterns, such as embedding phishing URLs within their privacy policies and using similar package names and descriptions [2, 5, 8]. The investigation also revealed that these apps leverage development frameworks like Median to rapidly convert phishing websites into Android apps [6, 11].
• A look into the infrastructure uncovered that the phishing URLs are hosted on IP addresses associated with over 50 other phishing domains, indicating a centralized and well-coordinated operation [7, 12-14]. This large-scale phishing infrastructure, combined with seemingly legitimate applications, makes detection challenging and extends the campaign's reach [7, 14].

The Reality of App Store Security & Why Vigilance is Key: This campaign underscores a critical mobile app security myth: mobile app stores do not guarantee the security of all apps available for download [15, 16]. Despite stringent security measures, malicious apps can and do make their way onto platforms like the Google Play Store [16-21]. Cybersecurity experts, like Jake Moore from ESET, emphasize that users must be extremely cautious and perform due diligence even when downloading from legitimate platforms, especially for apps connected to finances [17].
**Your Defense Strategy:**To safeguard your digital assets and personal information, it's crucial to follow these essential cybersecurity best practices:
• Download apps ONLY from verified developers and carefully check app reviews, publisher details, and download statistics before installing [17, 22].
• NEVER enter sensitive information like mnemonic phrases into an app unless you are absolutely certain it's the legitimate application, ideally linked directly from the official website of the crypto wallet itself [9, 22].
Enable biometric security features, such as fingerprint or facial recognition, on your mobile devices [22].
• Be extremely cautious about opening any links received via SMS or emails, as these are common phishing vectors [22].
• Ensure that Google Play Protect is enabled on your Android devices [8, 22].
For developers, it's crucial to prioritize security throughout the mobile app development lifecycle, recognizing that static defenses like code obfuscation are often insufficient [19, 23-27]. Dynamic, runtime security measures such as Runtime Application Self-Protection (RASP), Runtime Secrets Protection, and Dynamic Certificate Pinning are non-negotiable for protecting sensitive data and functionality [27]. Additionally, App Attestation and token-based API access are vital for verifying the integrity of the mobile app itself before granting API access, blocking bots, scripts, and tampered apps [27-29].

Sponsor Spotlight: This episode of "Upwardly Mobile" is proudly sponsored by Approov, the gold standard in mobile app attestation and API security. Approov helps protect mobile apps and APIs by enforcing trust boundaries between mobile clients and backend services, significantly raising the bar against malicious or unauthorized data harvesting and sophisticated attacks. Learn more about securing your mobile apps and APIs at approov.io.

Relevant Links:
• Excerpts from "Crypto Phishing Applications On The Play Store" [1-3, 5-7, 10-13, 22, 30-42]
• Excerpts from "Delete Every App On Your Smartphone That’s On This List" [4, 8, 9, 14, 17, 43-49]
• Excerpts from "Mobile App Security Myths" [15, 16, 18-21, 23-26, 50-69]

Learn more about protecting your APIs and mobile applications: https://approov.io/ (Please note: Information about Approov.io is external to the provided sources within the "Crypto Phishing Applications On The Play Store", "Delete Every App On Your Smartphone That’s On This List", and "Mobile App Security Myths" documents, and you may want to independently verify that information.)
Keywords: Crypto phishing, Play Store, mobile app security, mnemonic phrase, cryptocurrency, scam apps, cyber threat intelligence, cybercrime, phishing attack, digital wallets, Android security, app store security, API security, social engineering, app attestation, runtime security, RASP, brand impersonation, fraudulent domains, threat detection, dark web monitoring, vulnerability management.

🎙️ Upwardly Mobile is hosted by Skye Macintyre & George McGregor. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast

Strategies for App Revenue Success

Welcome to "Upwardly Mobile," the podcast that empowers founders to scale their ventures! In this essential episode, we look into the often-challenging world of app store fees, exploring how Apple and Google claim a significant cut from your hard-earned revenue and, more importantly, how you can navigate these charges to maximise your profit.

The Reality of App Store Fees: Discover why Apple and Google typically claim up to 30% of revenue from in-app purchases1. While a reduced 15% rate exists for smaller businesses earning under $1 million annually, founders serious about scaling need to understand the broader implications1. We discuss how increasing regulatory pressure, particularly from the EU, is forcing these tech giants to loosen their grip, but often only where legally compelled.

Key Regulatory Changes & Exceptions: Learn about Apple's compliance with the EU’s Digital Markets Act (2024), which now permits app distribution outside the App Store and the integration of external payment systems within the EU, albeit with a reduced commission of 10% to 17%4. Crucially, this flexibility does not extend beyond EU borders45. We also examine Google’s User Choice Billing program, which allows developers to offer their own payment methods alongside Google’s, with fees still applying at 11% or 26%4. We explore other exceptions born from legal battles and regulatory requirements, such as reader apps like Netflix and Spotify being able to link to external sign-up pages due to pressure from Japan's Fair Trade Commission6. Additionally, legislation in the Netherlands and South Korea has forced Apple to allow external payments for dating apps, though Apple still collects a slightly reduced cut (27% and 26%, respectively).

Mastering the Hybrid Model for Revenue Optimisation: One of the most effective strategies to reduce Apple and Google fees is implementing a hybrid monetisation model3. This approach combines in-app purchases with a web-based payment system, allowing you to bypass the hefty 30% cut for your most loyal users who are willing to take an extra step to pay outside the app37. We illustrate the potential savings: for a health app with a dedicated user base paying $15 a month for premium features, converting just 5% of 100,000 users via your website could save you an incredible $25,000 in monthly fees compared to being locked into Apple’s in-app purchase system8. However, we also highlight the critical importance of careful strategy and clear messaging to avoid losing users who might bounce if they encounter a paywall with no clear way to pay9. This approach requires balancing fee reduction with the potential sacrifice of some organic traction provided by App Store visibility57.

Alternative Distribution & The Debate on Fair Fees: While alternative distribution methods like sideloading apps or distributing outside official app stores can help you bypass fees, they come with their own challenges, often sacrificing mainstream adoption and App Store visibility59. For example, 

Google’s sideloading flexibility doesn't mean most users will jump through hoops, and Apple’s EU compliance with the Digital Markets Act is limited geographically5. We delve into the compelling argument that app store fees should be low or even zero, as proposed by experts like Damien Geradin10. This perspective suggests that fees should reflect only the intrinsic value the app store brings to developers, rather than the 'lock-in' or 'gatekeeper' value created by restrictions of competition and resulting network effects. Furthermore, it acknowledges the significant value that app developers bring to Apple and Google’s mobile ecosystems by drawing users to their platforms. This synergetic relationship has become conflictual due to imposed restrictions and fees.

Ultimately, success comes down to knowing your audience and understanding their willingness to follow your preferred payment process513. By staying informed, agile, and strategically implementing hybrid models, you can take greater control of your revenue stream and transform your app’s profitability.

Relevant Links:
• The Real Cost Of App Store Fees: A Founder’s Guide To Understanding The Landscape by Lubo Smid, Forbes Technology Council: https://www.forbes.com/sites/forbestechcouncil/2025/05/06/the-real-cost-of-app-store-fees-a-founders-guide-to-understanding-the-landscape/

• Why the Apple App Store and the Google Play Store fees should be low or even zero by Damien Geradin, SSRN: https://ssrn.com/abstract=5272037
Sponsor: This episode of "Upwardly Mobile" is brought to you by Approov.io, experts in API threat protection. Learn more about securing your mobile apps at approov.io. (Please note: Information about Approov.io is external to the provided sources and may need independent verification.)

Keywords: App store fees, Apple App Store, Google Play Store, app monetisation, in-app purchases, hybrid model, external payments, Digital Markets Act, EU regulation, sideloading, app developers, mobile ecosystems, gatekeepers, revenue optimisation, profit maximisation, app strategy, scaling apps, startup, founder, technology, competition law.

🎙️ Upwardly Mobile is hosted by Skye Macintyre & George McGregor. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast

Episode Notes:
Dive deep into the shocking revelations about covert web-to-app tracking affecting billions of Android users! This episode uncovers a novel tracking method employed by tech giants Meta (Facebook Pixel) and Yandex (Yandex Metrica), which silently links your mobile browsing sessions to your long-lived native app identities.

Key Discoveries:
• The Localhost Loophole: Learn how Meta and Yandex exploit unrestricted access to localhost sockets on the Android platform. Native apps like Facebook, Instagram, Yandex Maps, Navigator, Browser, and Search listen on fixed local ports (e.g., Meta uses UDP ports 12580-12585; Yandex uses TCP ports 29009, 29010, 30102, 30103) to receive browser metadata, cookies, and commands from scripts embedded on thousands of websites1....
• Bypassing Privacy Protections: This method bypasses typical privacy controls such as clearing cookies, using Incognito Mode, and Android's permission controls4.... It effectively de-anonymises users by linking ephemeral web identifiers (like the _fbp cookie or Android Advertising ID (AAID)) to persistent mobile app IDs, even when users are not logged into the browsers2....
• Meta's Evolution: Discover how Meta Pixel has evolved its techniques, initially using HTTP, then WebSocket, and more recently, WebRTC STUN with SDP Munging to transmit the _fbp cookie. Following disclosure, Meta shifted to WebRTC TURN, and as of early June 2025, the script was no longer sending packets to localhost, with the code responsible for the _fbp cookie almost completely removed.
• Yandex's Persistent Method: Yandex Metrica has been using localhost communications since February 2017 via HTTP and HTTPS requests, where their native apps act as a proxy to collect Android-specific identifiers like the AAID and Google's advertising ID, transferring them to the browser context.
• Scale of Impact: These trackers are embedded on millions of websites globally. Meta Pixel is present on over 5.8 million websites (2.4 million according to HTTP Archive) and Yandex Metrica on close to 3 million sites (575,448 according to HTTP Archive)2122. Our research found that in a crawl of the top 100k sites, a significant number of sites (over 75% for Meta Pixel, 83-84% for Yandex Metrica) were attempting localhost communications potentially without user consent.
• Browsing History Leakage: Yandex's use of HTTP requests for web-to-native ID sharing can expose users' browsing history to malicious third-party apps also listening on the same ports. Browsers like Chrome, Firefox, and Edge were found to be susceptible to this leakage, even in private browsing modes.
• Industry Response: While some browsers like Brave and DuckDuckGo were already blocking these practices due to blocklists and existing consent requirements, others like Chrome and Firefox have implemented countermeasures or are actively investigating. Google has stated this behaviour violates Play marketplace terms of service and user privacy expectations, and Meta has paused the feature while discussing with Google.
• Lack of Awareness: Neither Meta nor Yandex publicly documented this specific localhost-based communication technique, and website owners and end-users were largely unaware of this covert tracking.

Why This Matters: This research highlights a critical vulnerability in Android's design, where unvetted access to localhost sockets breaks the fundamental sandboxing principle between mobile and web contexts10.... Current "fixes" are often specific blocklists, which are temporary solutions in an ongoing "arms race" with trackers. A more comprehensive, long-term solution requires stricter platform policies and user-facing controls on Android to limit this type of access at a fundamental level40....
--------------------------------------------------------------------------------
Special Thanks to our Sponsor: This episode is brought to you by Approov. Approov helps protect your mobile apps and APIs by enforcing trust boundaries between mobile clients and backend services. While it cannot control intentionally collected data, Approov significantly raises the bar for malicious or unauthorized data harvesting by others, mitigating ecosystem-level risks associated with identifier misuse44. Learn more about securing your mobile ecosystem at approov.io.
--------------------------------------------------------------------------------
Relevant Links:
• Read the full research paper: Link to the research paper "Covert Web-to-App Tracking via Localhost on Android"
• Explore the Ars Technica article: Link to the Ars Technica article "Meta and Yandex are de-anonymizing Android users’ web browsing identifiers"
• Learn more about mobile security: Link to the "Approov: Mobile Security and Data Protection" source.
--------------------------------------------------------------------------------
Keywords: Android tracking, mobile privacy, web-to-app tracking, localhost abuse, Meta Pixel, Yandex Metrica, data de-anonymization, user identity, mobile security, browser privacy, Android security, covert tracking, digital privacy, online tracking, bypass privacy, _fbp cookie, AAID, WebRTC, SDP Munging, STUN, TURN, data protection.


🎙️ Upwardly Mobile is hosted by Skye Macintyre & George McGregor. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast

Coinbase Under Attack: The $20 Million Ransom & The Fight Against Social Engineering

Join us on Upwardly Mobile as we unravel the recent cybersecurity incident that rocked Coinbase, one of the world's leading cryptocurrency exchanges. Discover how a sophisticated social engineering scheme led to a significant data breach, a audacious $20 million ransom demand, and Coinbase's bold refusal to pay the extortionists. Learn about the sensitive customer data that was compromised, the financial impact on the company, and crucial advice for users to stay safe in the ever-evolving digital landscape.

Episode Highlights:
• The Social Engineering Deception: Uncover how cybercriminals managed to persuade a small group of overseas customer support agents to copy sensitive customer data from Coinbase's internal tools in exchange for cash [1-4]. These actions were part of a single, larger campaign to exfiltrate data, despite early detection and termination of involved personnel [3, 5, 6].
• The Criminals' True Aim: Understand that the stolen information was intended to be used by criminals to contact customers and impersonate Coinbase support agents, attempting to trick them into giving up their crypto funds [1, 4, 7, 8]. This highlights the persistent threat of social engineering, which often exploits the "human element" as the weakest link in security [4, 8].
• What Data Was Compromised (and What Wasn't): While less than 1 percent of Coinbase's total customer data was stolen, the compromised information was highly sensitive. This included users' names, email and postal addresses, phone numbers, government ID images, account data and balance snapshots, the last four digits of social security numbers, masked bank account numbers, some bank account identifiers, transaction history, and limited corporate data [2, 7, 9]. Crucially, attackers did not gain access to users' login credentials, private keys, or the ability to move or access customer funds [2, 7, 9].
• Coinbase's Bold Rejection of the Ransom: Hear about the $20 million ransom payment demanded in Bitcoin from the attackers in exchange for not publicly releasing the stolen data [1, 5, 10-12]. However, Coinbase rejected this demand.
• The $20 Million Bounty: Instead of paying the extortionists, Coinbase CEO Brian Armstrong announced a $20 million award for any information leading to the arrest and conviction of these attackers. Armstrong publicly stated the company's commitment to prosecute and bring the criminals to justice. Coinbase is also cooperating with law enforcement in the investigation [6, 10].
• Impact and Remediation Costs: The data breach affected approximately 69,461 customers [15, 16]. Coinbase anticipates significant financial outlays, estimating it will spend between $180 million to $400 million on remediation costs and voluntary customer reimbursements related to this incident [6, 16-18].
• Customer Reimbursement and Enhanced Security: Coinbase has pledged to voluntarily reimburse retail customers who mistakenly sent funds to scammers as a direct result of this incident, following a review to confirm the facts. Flagged accounts will also undergo additional ID checks for large withdrawals. The company has also implemented heightened fraud-monitoring protections and warned affected customers.
• Essential Customer Advice: Remember, Coinbase will never ask for sensitive information like passwords or 2FA codes, nor will it call or text users to transfer funds to a specific or new address or "safe" wallet. Staying vigilant is key, as scammers may continue to impersonate Coinbase employees.

**Learn More & Stay Secure:**For robust mobile app security against sophisticated attacks, visit our sponsor: approov.io

🎙️ Upwardly Mobile is hosted by Skye Macintyre & George McGregor. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast