Mobile Banking Security Weekly #1

ANDROID SECURITY BULLETIN · CRITICAL
System RCE vulnerability · SPL 2025-08-05
Update test devices immediately

GOOGLE PLAY API 35 · HIGH
Required by August 31, 2025
Extension available until November 1

CRITICAL SPL 2025-08-01/05

System RCE vulnerability and framework EoP. Pixel devices patched at 2025-08-05 level.

Impact: Login flows, OTP verification, 3DS authentication

Actions:

• Update test devices to SPL 2025-08-05
• Run smoke tests (login, transfers, 3DS)
• Monitor crash rates for 48h post-update

Test Matrix: Android API 29-35 / WebView 139.x

HIGH SPL 2025-08-05

Additional patches for Pixel devices including modem fixes.

Impact: Login flows, SMS/Voice OTP, 3DS authentication

Actions:

• Update Pixel lab devices to 2025-08-05
• Test SMS/Voice OTP after OTA
• Monitor incident reports

Test Matrix: Android API 29-35 / WebView 139.x

HIGH Deadline: August 31, 2025

Apps failing requirement will be blocked from submission/updates. Extension available until November 1.

Impact: Store submission, Build/Release pipeline

Actions:

• Set targetSdkVersion=35
• Update blocked dependencies (permissions/file access)
• Run Android 15 compatibility tests
  • Predictive back gesture
  • Behavior changes

Test Matrix: Android 15 (API 35)

LOW Stable Release

New stable version for Android teams.

Optional Actions:

• Standardize IDE/AGP version on CI
• Sync/clean build
• Review new AGP/lint warnings

Test Matrix: AGP/Gradle on CI

MEDIUM Released: August 14, 2025

Latest security patch for iOS 18. CVEs not disclosed at release.

Impact: Login flows, OTP verification, 3DS authentication

Actions:

• Update QA devices to 18.6.1
• Run App Attest/DeviceCheck regression
• Test WKWebView checkout performance

Test Matrix: iOS 18.6.1 / WKWebView 18.6.x

LOW Released: August 13, 2025

New stable version. Consider upgrading cross-platform apps.

Optional Actions:

• Check package breaking changes
• Run flutter test on pipeline
• Measure bundle size after upgrade

Test Matrix: Flutter 3.35 / Dart

LOW Branch 0.79

Bugfixes for 0.79 branch.

Optional Actions:

• Review Android/iOS changelog
• Run E2E Detox/QA flows
• Check AGP/Xcode compatibility

Test Matrix: RN 0.79.x / Hermes

MEDIUM Released: August 12, 2025

Hook tool update. Adjust detection/hardening if RASP has version-specific rules.

Impact: RASP/Hook tamper detection

Actions:

• Update Frida test rig to 17.2.16
• Verify injection/ptrace detection rules
• Test anti-hook at login/KYC screens

Test Matrix: Android 14-15 / iOS 17-18

⚠️ Unverified community reports - awaiting official confirmation

Play Integrity API Changes

VOZ Report #1: Play Integrity/Integrity Box free tier only returning BASIC after Play Store update

• Discussion about PIF/Tsupport/YuriKeybox not achieving Strong integrity
• Source: 4 authors, 6 posts · low-trust
• https://voz.vn/t/thao-luan-ve-root-bang-magisk-module-giai-phap-an-root-cho-phien-ban-moi-24.497191/page-308

Banking App Detection Bypasses

VOZ Report #2: MBBank detection methods and bypasses

• bindhost/NextDNS reportedly blocking Zimperium detection for MBBank
• Differences between KernelSU and Magisk alpha - need to change “mode” and disable unmount for MB app
• Source: 5 authors, 10 posts · low-trust
• https://voz.vn/t/thao-luan-ve-root-bang-magisk-module-giai-phap-an-root-cho-phien-ban-moi-24.497191/page-308

VOZ Report #3: Magisk alpha 302 issues

• Users reporting “bank fail” with Magisk alpha 302
• Rollback to 301 resolves issues
• Source: 2 authors, 3 posts · low-trust
• https://voz.vn/t/thao-luan-ve-root-bang-magisk-module-giai-phap-an-root-cho-phien-ban-moi-24.497191/page-309

VOZ Report #4: VietinBank detection patterns

• VietinBank detecting root after initial pass period
• Updating Zygisk + LSPosed reportedly helps restore functionality
• Source: 1 author, 1 post · low-trust
• https://voz.vn/t/thao-luan-ve-root-bang-magisk-module-giai-phap-an-root-cho-phien-ban-moi-24.497191/page-308

Mobile Banking Security Weekly #1 · August 17, 2025
Questions? Contact security@yourbank.com