Identity Abuse and Mobile Malware on the Rise

Written by Kyle Gill, Information Security Officer | Mar 5, 2026 3:00:00 PM

Exploitation continues to concentrate on edge/network management platforms (SD‑WAN, virtualization/ops tooling, remote support). Prioritize patching and monitoring of internet-facing administrative surfaces.
Identity and consent abuse is trending: OAuth redirect/device code techniques are enabling phishing and malware delivery while bypassing traditional password + MFA expectations.
Mobile remains a prime monetization vector: new Android banking trojans and exploitation toolkits targeting older iOS versions reinforce the need for timely OS updates and strong mobile controls.
Geopolitical tension increases the likelihood of disruptive activity and opportunistic fraud. Maintain heightened awareness for phishing, DDoS extortion, and credential theft.

Threat/Topic	Why it matters	Recommended Action
Cisco Catalyst SD-WAN auth bypass (CVE-2026-20127) actively exploited	Zero‑day exploitation enables compromise of SD‑WAN controllers and network manipulation.	Patch/mitigate per vendor guidance; review controller logs/config changes; restrict management access.
VMware Aria Operations RCE (CVE‑2026‑22719) added to CISA KEV as exploited	Admin/ops tooling is attractive for lateral movement; KEV addition signals active exploitation.	Patch promptly; hunt for anomalous service accounts and outbound connections; ensure least privilege.
BeyondTrust Remote Support/PRA RCE (CVE‑2026‑1731) exploitation linked to ransomware	Remote support tools provide privileged footholds and are increasingly leveraged in ransomware intrusions.	Patch/upgrade affected versions; limit internet exposure; enforce MFA/conditional access; monitor new admin sessions.
OAuth redirection abuse used for phishing/malware delivery (M365)	Attackers abuse OAuth flows to obtain tokens or redirect victims to convincing lures.	Review OAuth app consent policies; block risky redirects; monitor unusual OAuth grants and sign-ins.
Potential Iran-linked cyber retaliation environment (heightened risk)	Increased activity/claims and potential targeting of critical infrastructure and financial sector.	Increase vigilance for phishing and DDoS extortion; verify out-of-band for payment/transfer requests; review incident response readiness.

Identity & Consent Abuse (OAuth / Token Theft)

Campaigns are abusing OAuth redirection behavior to enable phishing and malware delivery.
Device-code/consent phishing can steer victims to legitimate login pages and harvest tokens for persistent access.

Threat actors are building ‘legit-looking’ software fronts (including signed binaries/certificates) to persuade organizations to install remote access tooling.
Expect more social engineering that leverages collaboration platforms and vendor branding rather than obvious malicious attachments.

Recent advisories and KEV updates highlight attackers prioritizing SD‑WAN, remote support, and admin/ops tooling.
Defensive takeaway: treat management interfaces as crown jewels; minimize exposure and continuously monitor.

‘Massiv’ Android banking trojan distributed via fake IPTV apps supports device takeover and credential theft techniques.
Android March 2026 update patches 129 vulnerabilities, including at least one exploited Qualcomm component vulnerability.

A sophisticated iPhone exploitation toolkit (‘Coruna’) uses 23 iOS vulnerabilities and has been observed in multiple campaigns.
Apple has patched affected iOS versions; risk remains for devices running older iOS versions (especially iOS 13–17.2.1)

Threat Activity Metrics

Mobile Snapshot

Be suspicious of emails or chats asking you to ‘approve’ an app, scan a QR code, or enter a one-time device code—even if the login page looks legitimate.
If prompted to grant permissions (e.g., access to mail, files, Teams), stop and verify with IT/Security. Attackers use consent screens to gain persistent access.
Watch for “too-fast” login prompts you didn’t initiate (unexpected sign-in/consent requests).
When in doubt, close the message and navigate directly to the service instead of clicking the link.

Why did the phishing email break up with the user?

Because they just weren't clicking anymore.

Prioritize patching/mitigation for exploited vulnerabilities affecting SD‑WAN, remote support tools, and admin/ops platforms.
Review OAuth consent policy and app registrations; restrict or require admin approval for high-risk permissions.
Increase monitoring for anomalous OAuth grants, suspicious guest invites, and unexpected device enrollments.
Validate mobile update compliance (iOS/Android) via MDM; quarantine noncompliant devices where feasible.

Treat unexpected Teams/SharePoint/OneDrive invites and billing/payment messages as high risk—verify via a known phone number or internal directory before acting.
Never approve an authentication prompt or consent request you did not initiate.
Keep phones updated and only install apps from official stores; avoid ‘streaming/IPTV’ apps and sideloaded packages.

Cisco Catalyst SD‑WAN zero‑day exploitation (CVE‑2026‑20127) — BleepingComputer (Feb 25, 2026)
VMware Aria Operations KEV addition (CVE‑2026‑22719) — BleepingComputer (Mar 3, 2026)
BeyondTrust CVE‑2026‑1731 ransomware exploitation update — SecurityWeek (Feb 20, 2026)
OAuth redirection abuse phishing/malware campaign — Microsoft Security Blog (Mar 2, 2026)
Android March 2026 update (129 vulnerabilities; exploited Qualcomm component) — The Hacker News (Mar 3, 2026)
Massiv Android banking trojan in fake IPTV apps — BleepingComputer (Feb 19, 2026) / The Hacker News (Feb 19, 2026)
Coruna iPhone exploitation toolkit & iVerify estimate — WIRED (Mar 3, 2026)
Teams guest invite phishing campaign stats — ITPro citing Check Point research (Feb 2026)
Ransomware victim counts for Feb 2026 — Breachsense (Mar 1, 2026)
Heightened Iran cyber retaliation risk — Axios citing CrowdStrike (Mar 4, 2026)

View full post