M365 Android debug flag (setIsDebugMode) enables silent OAuth-token theft across 6 apps

Researchers at Enclave found a shared Android SDK across six Microsoft 365 apps shipped setIsDebugMode(true) in production, disabling the AccountManager check that restricts token sharing to trusted Microsoft apps — so any co-installed third-party app could silently obtain long-lived OAuth tokens for the signed-in Microsoft identity with no prompt (SecurityWeek, 2026-06-02 · The Hacker News, 2026-06-03). Affected: Word (CVE-2026-41101), PowerPoint (CVE-2026-41102), Excel (CVE-2026-42832), Microsoft 365 Copilot (CVE-2026-41100), Loop and OneNote — collectively billions of installs; Teams was unaffected because its flag was correctly false. Tokens granted read/write to Exchange mail, OneDrive and Calendar. Microsoft fixed all six in the 12 May 2026 cycle; no ITW reported pre-patch. Enforce minimum-version compliance for these apps via Intune/MDM on BYOD fleets and, where logs exist, review AccountManager token requests from non-Microsoft packages.

Google's June 2026 Android Security Bulletin patches CVE-2025-48595, a High-severity integer overflow in the Android Framework component that Google reports is under "limited, targeted exploitation" (Android Security Bulletin, 2026-06-01). The bug gives a local attacker — typically a malicious app already on the device — privilege escalation with no user interaction and no prior privileges, reaching system-level code execution across Android 14, 15, 16 and 16-QPR2 (BleepingComputer, 2026-06-02). The "limited, targeted" descriptor and the Framework location are, in our assessment, consistent with the historical pattern of commercial-spyware operators weaponising Framework LPEs against high-value targets — but no cited source attributes this specific case; the full fix requires reaching the 2026-06-05 patch level, which also carries chipset fixes from Qualcomm, MediaTek, Imagination and Unisoc (Android Security Bulletin, 2026-06-01). Defenders managing Android fleets: push the 2026-06-05 patch level via MDM/EMM and gate non-compliant devices via Security-Patch-Level compliance policy; disable sideloading and restrict installs to managed stores; this is doubly relevant for Swiss federal device fleets given the G7 Évian travel window (§ 1).

CVE Summary Table

A third actively-exploited CVE added to KEV this window — CVE-2022-0492, a Linux cgroup-v1 release_agent container escape — is covered in full in today's deep dive (§ 5).

WatchGuard's Secplicity team published telemetry on 2026-05-26 covering a sustained 2026 Grandoreiro banking-trojan campaign against banks in Portugal and Spain (and across Latin America). The campaign deploys Delphi-11-compiled DLLs through DLL side-loading against four abused legitimate signed binaries; the Grandoreiro core has been re-tooled to use the sgcWebSockets library for command-and-control, with STUN and ICE protocols enabling NAT traversal — C2 traffic visually blends with web-conferencing data and bypasses standard protocol-inspection rules. WatchGuard names Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, Santander, Revolut and Wise as targeted institutions. A parallel Latin American mobile-banking strand: ESET WeLiveSecurity documents BTMOB, an Android RAT (evolved from SpySolr) sold malware-as-a-service, documented by ESET as targeting users in Brazil and Argentina. BTMOB requests Accessibility Service permissions and uses them for full device takeover — HTML-injected overlay phishing, keylogging and on-demand screen recording. The Hacker News provides a combined writeup with the WatchGuard / ESET coverage.

WatchGuard documented a Grandoreiro campaign abusing Delphi DLL side-loading across four different software packages, with WebSocket/STUN C2, against banks in Portugal and Spain; ESET mapped a parallel BTMOB Android RAT delivered as malware-as-a-service against the same Iberian banking customers via HTML injection and Accessibility Service abuse (2026-05-29). The pattern for EU financial-sector defenders is the desktop-plus-mobile pincer from LATAM-origin operators sustaining European targeting: DLL-side-loading detection on the endpoint and Accessibility-Service-abuse heuristics on managed mobile fleets address the two halves.

ThreatFabric's 2026-05-11 research identifies a substantially redesigned TrickMo variant active across January–February 2026 in campaigns against banking and fintech users in France, Italy and Austria (ThreatFabric, 2026-05-11; The Hacker News, 2026-05-12; Security Affairs, 2026-05-12). The C2 architecture has migrated off conventional DNS / IP infrastructure: the host APK embeds a native TON (The Open Network) proxy that starts on a loopback port at process launch, and all C2 HTTP requests address .adnl hostnames resolved inside the TON decentralised overlay. That design defeats traditional domain-takedown and DNS-based blocklisting — operator endpoints exist as TON identities inside a permissionless overlay rather than at a controllable DNS or IP. Beyond the banking-trojan core (accessibility-service device takeover, fake overlay login pages, SMS / OTP interception, mapped to T1517 Access Notifications), TrickMo C adds a network-reconnaissance subsystem via five operator commands (curl, dnslookup, ping, telnet, traceroute) and an SSH tunnel + authenticated SOCKS5 proxy — turning infected Android devices into programmable network pivots so operators can route abuse traffic from the victim's IP space and defeat IP-reputation fraud detection on banking and crypto-exchange platforms. Mapped to T1090.001 Proxy: Internal Proxy for the SOCKS5 mode. Droppers masquerade as TikTok variants distributed via Facebook ads; the final payload impersonates Google Play Services. Dormant code includes the Pine hooking framework and NFC permissions, suggesting contactless-payment interception is in development.

Defender takeaway: The relevant change for an EU defender is the C2 transport: blocking TON traffic at the corporate gateway is non-trivial because TON shares the standard internet routes; behaviour-side, detect Android devices that initiate the TON loopback proxy and that issue outbound to non-corporate SOCKS5 / SSH ports under unusual entitlements. Public-sector implication: government-issued Android or BYOD devices that access banking, tax, or e-government services should be scoped under MDM policies that block sideloaded APKs from social-media link-outs and forbid sideloaded TikTok-look-alikes. Mapped to T1422 System Network Configuration Discovery and T1437.001 Application Layer Protocol: Web Protocols.