Ducex Android Packer Introduces Advanced Obfuscation to Shield Triada Malware
The Ducex packer represents a significant advancement in Android malware obfuscation, acting as a delivery mechanism for the long-standing Triada malware family. Researchers at ANY.NET initially discovered the malware embedded in a fake Telegram app. Ducex uses multiple layers of evasion to bypass static and dynamic analysis, including encrypted function blocks, string obfuscation, and anti-tool detection. What makes Ducex particularly dangerous is its use of a custom-modified RC4 algorithm with additional shuffling, encrypting entire libraries (such as libducex[.]so) and decrypting them only at runtime. This ensures that reverse engineers and sandboxes see little to no useful code unless the malware is fully executed. Once deployed, Triada uses its privileged access to carry out persistent infections, monetize victims through ad fraud, and install additional payloads. In addition to technical encryption barriers, Ducex also implements aggressive anti-analysis logic that actively detects popular tools such as Frida, Xposed, and Substrate. If any of these are found in memory, execution is terminated immediately to avoid detection. These features signal a broader trend toward advanced mobile malware tooling, where packers play a critical role in maintaining stealth across the infection lifecycle. For defenders, this means traditional antivirus signatures may be insufficient, and more emphasis must be placed on behavior-based and memory analysis techniques. As attackers continue refining their techniques, Ducex demonstrates how even mature threats like Triada can remain viable when paired with modern evasion frameworks.
eSIM Cloning Flaw Exposes Billions to Silent Phone Identity Hijacking
A serious vulnerability in eSIM technology has allowed researchers to successfully clone subscriber identities and hijack phone communications, posing an unprecedented threat to mobile security. AG Security Research demonstrated how they compromised Kigen eUICC cards—widely used in over 2 billion devices—by extracting private ECC keys and downloading mobile operator profiles from major carriers like AT&T, Vodafone, and Orange in unencrypted form. These profiles were then used to clone eSIMs and silently redirect all voice calls, text messages, and even two-factor authentication codes to attacker-controlled devices. The researchers achieved full identity hijacking without alerting the original user, proving how this exploit bypasses traditional security layers and exposes both consumers and enterprise users relying on SMS-based authentication. The attack targets a flaw in the Java Card virtual machine, specifically exploiting type confusion vulnerabilities to bypass high-level certifications and runtime security protections. The exploit can be launched either with physical access or remotely through over-the-air (OTA) channels using SMS-based provisioning. Researchers emphasized the compromise of key elements like OPc and AMF fields—core to network authentication—as especially dangerous. A live demonstration on Orange Poland’s network showed that two separate devices could run identical eSIMs, with only the attacker receiving inbound communications. Kigen responded by issuing patches to millions of devices and enhancing type safety across JavaCard instructions. At the same time, GSMA has released updated security specifications and disabled all test profiles to prevent unauthorized installations. This incident underscores the critical need for robust, end-to-end protections across the eSIM ecosystem as digital identity becomes increasingly tied to mobile infrastructure.
Top CVEs of the Week
Top CVEs of the Week: As part of our ongoing monitoring of vulnerabilities, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.