Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Android. Show all posts
social engineering attacks
Android Android Spyware Cloud Infrastructure Abuse Hugging Face Abuse malware Mobile Credential Theft Mobile Security Threats Remote Access Trojan social engineering attacks

Threat Actors Leverage Hugging Face to Spread Android Malware at Scale


 

Initially appearing as a routine security warning for mobile devices, this warning has evolved into a carefully engineered malware distribution pipeline. Researchers at Bitdefender have identified an Android campaign utilizing counterfeit security applications that serve as the first stage droppers for remote access Trojans, known as TrustBastion. 

The operators have opted not to rely on traditional malware hosting infrastructure, but have incorporated their delivery mechanism into Hugging Face's public platform, allowing it to conceal malicious activity through its reputation and traffic profile. 

Social engineering is used to drive the infection chain, with deceptive ads and fabricated threat alerts causing users to install the malware. The app silently retrieves a secondary payload from Hugging Face once it has been installed on the device, providing persistence via extensive permission abuse. 

At scale, the campaign is distinguished by a high degree of automation, resulting in thousands of distinct Android package variants, thereby evading signature-based detection and complicating attribution, thus demonstrating the shift toward a more industrialized approach to mobile malware. 

Using this initial foothold as a starting point, the campaign illustrates how trusted developer infrastructure can be repurposed to support a large-scale theft of mobile credentials. As a consequence, threat actors have been using Hugging Face as a distribution channel for thousands of distinct Android application packages that were designed to obtain credentials related to widely used financial, banking, and digital payment services.

Generally, Hugging Face is regarded as a low-risk domain, meaning that automated security controls and suspicion from users are less likely to be triggered by this site's hosting and distribution of artificial intelligence, natural language processing, and machine learning models.

Despite the fact that the platform has previously been abused to host malicious AI artifacts, Bitdefender researchers point out that its exploitation as a delivery channel for Android malware constitutes an intentional attempt to disguise the payload as legitimate development traffic. It has been determined that the infection sequence begins with the installation of an application disguised as a mobile security solution known as TrustBastion. 

Using scareware-style advertisements, the app presents fake warnings claiming that the device has been compromised, urging immediate installation to resolve alleged threats, including phishing attempts, fraudulent text messages, and malware. 

Upon deployment, the application displays a mandatory update prompt which is closely similar to that of Google Play, thereby reinforcing the illusion of legitimacy. In lieu of embedding malicious code directly, the dropper contacts infrastructure associated with the trustbastion[.]com domain, which redirects the user to a repository containing Hugging Face datasets. 

After retrieving the final malicious APK via Hugging Face's content delivery network, the attackers complete a staged payload delivery process that complicates detection and allows them to continuously rotate malware variants with minimal operational overhead, complicating detection. This stage demonstrates why Hugging Face was purposefully integrated into the attacker's delivery chain during this phase of the operation. 

It is common for security controls to flag traffic from newly registered or low-reputation domains quickly, causing threat actors to route malicious activity through well-established platforms that blend into normal network behavior, resulting in the use of well-established platforms.

TrustBastion droppers are not designed to retrieve spyware directly from attacker-controlled infrastructure in this campaign. Rather than hosting the malware itself, it initiates a request to a website associated with the trustbastion[. ]com domain, which serves as an intermediary rather than as a hosting point for it.

The server response does not immediately deliver a malicious application package. The server returns a HTML resource that contains a redirect link to a Hugging Face repository where the actual malware can be found. By separating the initial contact point from the final malware host, the attackers introduce additional indirection, which makes static analysis and takedown efforts more challenging. 

According to Bitdefender, the malicious datasets were removed after being notified by Hugging Face before publication of its findings. Telemetry indicates the campaign had already reached a significant number of victims before the infrastructure was dismantled, despite the swift response. Furthermore, analysis of the repositories revealed unusually high levels of activity over a short period of time. 

A single repository accumulated over 6,000 commits within a month, indicating that it was fully automated. A new payload was generated and committed approximately every 15 minutes, according to Bitdefender. A number of repositories were taken offline during the campaign, but the campaign displayed resilience by reappearing under alternative redirect links, using the same core codebase and only minor cosmetic changes to the icons and application metadata. 

The operators further undermined traditional defense effectiveness by utilizing polymorphic techniques throughout the payloads they used. The uploaded APKs were freshly constructed, retaining identical malicious capabilities while introducing small structural changes intended to defeat hash-based detection. 

It was noted by Bitdefender that this approach increased evasion against signature-driven tools, but that the malware variants maintained consistent behavioral patterns, permission requests, and network communication traits, which made them more susceptible to behavioral and heuristic analysis in the future. 

After installation, the malware presents itself as a benign "Phone Security" feature and guides users through the process of enabling Android Accessibility Services. This step allows the remote access trojan to obtain extensive information about user activity and on-screen activity. In order to monitor activity in real time, capture sensitive screen content, and relay information to the malware's command and control servers, additional permissions are requested. 

By impersonating legitimate financial and payment applications, such as Alipay and WeChat, this malware enhances the threat. By intercepting credentials and collecting lock-screen verification information, it becomes a full-spectrum tool to collect credentials and spy on mobile devices. 

In a defensive perspective, this campaign reminds us that trust in popular platforms can be strategically exploited if security assumptions are not challenged. By combining legitimate developer infrastructure abuse with high levels of automation and polymorphic payload generation, traditional indicators alone cannot detect these types of attacks. 

For Bitdefender's users, the findings reinforce the importance of identifying such threats earlier in the infection chain through behavioral analysis, permission monitoring, and anomaly-based network inspection. Users are advised to take precautions when responding to unsolicited security alerts or applications requesting extensive system privileges based on the findings.

Additionally, the operation highlights the growing adoption of cloud-native distribution models by malicious mobile malware actors, emphasizing the importance of platform providers, security vendors, and enterprises collaborating more closely to monitor abuse patterns and respond quickly to emerging misuses of trusted ecosystems.
Read more »
zero click
Android Apple Cyber Security Google iPhone Meta Spyware zero click

What Happens When Spyware Hits a Phone and How to Stay Safe

 



Although advanced spyware attacks do not affect most smartphone users, cybersecurity researchers stress that awareness is essential as these tools continue to spread globally. Even individuals who are not public figures are advised to remain cautious.

In December, hundreds of iPhone and Android users received official threat alerts stating that their devices had been targeted by spyware. Shortly after these notifications, Apple and Google released security patches addressing vulnerabilities that experts believe were exploited to install the malware on a small number of phones.

Spyware poses an extreme risk because it allows attackers to monitor nearly every activity on a smartphone. This includes access to calls, messages, keystrokes, screenshots, notifications, and even encrypted platforms such as WhatsApp and Signal. Despite its intrusive capabilities, spyware is usually deployed in targeted operations against journalists, political figures, activists, and business leaders in sensitive industries.

High-profile cases have demonstrated the seriousness of these attacks. Former Amazon chief executive Jeff Bezos and Hanan Elatr, the wife of murdered Saudi dissident Jamal Khashoggi, were both compromised through Pegasus spyware developed by the NSO Group. These incidents illustrate how personal data can be accessed without user awareness.

Spyware activity remains concentrated within these circles, but researchers suggest its reach may be expanding. In early December, Google issued threat notifications and disclosed findings showing that an exploit chain had been used to silently install Predator spyware. Around the same time, the U.S. Cybersecurity and Infrastructure Security Agency warned that attackers were actively exploiting mobile messaging applications using commercial surveillance tools.

One of the most dangerous techniques involved is known as a zero-click attack. In such cases, a device can be infected without the user clicking a link, opening a message, or downloading a file. According to Malwarebytes researcher Pieter Arntz, once infected, attackers can read messages, track keystrokes, capture screenshots, monitor notifications, and access banking applications. Rocky Cole of iVerify adds that spyware can also extract emails and texts, steal credentials, send messages, and access cloud accounts.

Spyware may also spread through malicious links, fake applications, infected images, browser vulnerabilities, or harmful browser extensions. Recorded Future’s Richard LaTulip notes that recent research into malicious extensions shows how tools that appear harmless can function as surveillance mechanisms. These methods, often associated with nation-state actors, are designed to remain hidden and persistent.

Governments and spyware vendors frequently claim such tools are used only for law enforcement or national security. However, Amnesty International researcher Rebecca White states that journalists, activists, and others have been unlawfully targeted worldwide, using spyware as a method of repression. Thai activist Niraphorn Onnkhaow was targeted multiple times during pro-democracy protests between 2020 and 2021, eventually withdrawing from activism due to fears her data could be misused.

Detecting spyware is challenging. Devices may show subtle signs such as overheating, performance issues, or unexpected camera or microphone activation. Official threat alerts from Apple, Google, or Meta should be treated seriously. Leaked private information can also indicate compromise.

To reduce risk, Apple offers Lockdown Mode, which limits certain functions to reduce attack surfaces. Apple security executive Ivan Krstić states that widespread iPhone malware has not been observed outside mercenary spyware campaigns. Apple has also introduced Memory Integrity Enforcement, an always-on protection designed to block memory-based exploits.

Google provides Advanced Protection for Android, enhanced in Android 16 with intrusion logging, USB safeguards, and network restrictions.

Experts recommend avoiding unknown links, limiting app installations, keeping devices updated, avoiding sideloading, and restarting phones periodically. However, confirmed infections often require replacing the device entirely. Organizations such as Amnesty International, Access Now, and Reporters Without Borders offer assistance to individuals who believe they have been targeted.

Security specialists advise staying cautious without allowing fear to disrupt normal device use.

Read more »
malware
Aisuru Android Botnets IP Address malware

Researchers Disrupt Major Botnet Network After It Infects Millions of Android Devices

 


Security researchers have dismantled a substantial portion of the infrastructure powering the Kimwolf and Aisuru botnets, cutting off communication to more than 550 command-and-control servers used to manage infected devices. The action was carried out by Black Lotus Labs, the threat intelligence division of Lumen Technologies, and began in early October 2025.

Kimwolf and Aisuru operate as large-scale botnets, networks of compromised devices that can be remotely controlled by attackers. These botnets have been used to launch distributed denial-of-service attacks and to route internet traffic through infected devices, effectively turning them into unauthorized residential proxy nodes.

Kimwolf primarily targets Android systems, with a heavy concentration on unsanctioned Android TV boxes and streaming devices. Prior technical analysis showed that the malware is delivered through a component known as ByteConnect, which may be installed directly or bundled into applications that come preloaded on certain devices. Once active, the malware establishes persistent access to the device.

Researchers estimate that more than two million Android devices have been compromised. A key factor enabling this spread is the exposure of Android Debug Bridge services to the internet. When left unsecured, this interface allows attackers to install malware remotely without user interaction, enabling rapid and large-scale infection.

Follow-up investigations revealed that operators associated with Kimwolf attempted to monetize the botnet by selling access to the infected devices’ internet connections. Proxy bandwidth linked to compromised systems was offered for sale, allowing buyers to route traffic through residential IP addresses in exchange for payment.

Black Lotus Labs traced parts of the Aisuru backend to residential SSH connections originating from Canadian IP addresses. These connections were used to access additional servers through proxy infrastructure, masking malicious activity behind ordinary household networks. One domain tied to this activity briefly appeared among Cloudflare’s most accessed domains before being removed due to abuse concerns.

In early October, researchers identified another Kimwolf command domain hosted on infrastructure linked to a U.S.-based hosting provider. Shortly after, independent reporting connected multiple proxy services to a now-defunct Discord server used to advertise residential proxy access. Individuals associated with the hosting operation were reportedly active on the server for an extended period.

During the same period, researchers observed a sharp increase in Kimwolf infections. Within days, hundreds of thousands of new devices were added to the botnet, with many of them immediately listed for sale through a single residential proxy service.

Further analysis showed that Kimwolf infrastructure actively scanned proxy services for vulnerable internal devices. By exploiting configuration flaws in these networks, the malware was able to move laterally, infect additional systems, and convert them into proxy nodes that were then resold.

Separate research uncovered a related proxy network built from hundreds of compromised home routers operating across Russian internet service providers. Identical configurations and access patterns indicated automated exploitation at scale. Because these devices appear as legitimate residential endpoints, malicious traffic routed through them is difficult to distinguish from normal consumer activity.

Researchers warn that the abuse of everyday consumer devices continues to provide attackers with resilient, low-visibility infrastructure that complicates detection and response efforts across the internet.

Read more »
Technology
Android app pinning guided access iphone iPhone lock apps phone snooping smartphone privacy Technology

This Built-In Android and iPhone Feature Lets You Share Your Phone Safely

 


Handing your phone to someone, even briefly, can expose far more than intended. Whether it is to share a photo, allow a quick call, or let a child watch a video, unrestricted access can put personal data at risk. To address this, both Android and iPhone offer built-in privacy features that limit access to a single app. Android calls this App Pinning, while Apple uses "Guided Access", allowing you to share your screen safely while keeping the rest of your phone locked.

Your smartphone holds far more than just apps. It contains banking details, private messages, location history, emails, and photos you may not want others to see. Even a quick glance at your home screen can reveal which banks you use or who you communicate with. This is why unrestricted access, even for a moment, can put your privacy and identity at risk. Handing over your phone without restrictions—especially to a stranger—is never a good idea.

There are many everyday situations where this feature becomes useful. A child may want to watch a YouTube video, but you do not want them opening emails or messages. A stranger may need to make a call in an emergency, but nothing beyond that. Even a friend doing a quick Google search does not need access to your search history or other apps. App Pinning and "Guided Access" make sure the phone stays exactly where you want it.

On Android, enabling App Pinning is simple. Head to Settings, search for “App Pinning,” and turn it on. Make sure authentication is required to exit the pinned app. Once enabled, open the app you want to share, go to the recent apps view, tap the app icon, and select Pin. The phone will stay locked to that app until you authenticate. To exit, swipe up and hold, then unlock using your PIN, password, or biometrics.

iPhone users can achieve the same result using "Guided Access". This feature lives under Settings → Accessibility. After setup, it can be activated by triple-clicking the power button. Open the app you want to share, triple-click the power button, and hand over the phone. When finished, triple-click again and authenticate with Face ID, Touch ID, or a passcode to return to normal use.

One limitation exists when sharing photos on both platforms. If you pin the Photos app, the other person can still swipe through your gallery. On iOS, this can be fixed by disabling touch input from the "Session Settings" menu when starting "Guided Access". Android, however, does not currently allow disabling touch during App Pinning, which means extra caution is needed when sharing photos.

The takeaway is simple: never hand your phone to someone without locking it to a single app first. App Pinning on Android and "Guided Access" on iOS are easy to use and extremely effective at protecting your privacy, keeping prying eyes away from your personal data.
Read more »
Technology
Android Artificial Intelligence Contextual AI Google Google Pixel Technology

Google Testing ‘Contextual Suggestions’ Feature for Wider Android Rollout

 



Google is reportedly preparing to extend a smart assistance feature beyond its Pixel smartphones to the wider Android ecosystem. The functionality, referred to as Contextual Suggestions, closely resembles Magic Cue, a software feature currently limited to Google’s Pixel 10 lineup. Early signs suggest the company is testing whether this experience can work reliably across a broader range of Android devices.

Contextual Suggestions is designed to make everyday phone interactions more efficient by offering timely prompts based on a user’s regular habits. Instead of requiring users to manually open apps or repeat the same steps, the system aims to anticipate what action might be useful at a given moment. For example, if someone regularly listens to a specific playlist during workouts, their phone may suggest that music when they arrive at the gym. Similarly, users who cast sports content to a television at the same time every week may receive an automatic casting suggestion at that familiar hour.

According to Google’s feature description, these suggestions are generated using activity patterns and location signals collected directly on the device. This information is stored within a protected, encrypted environment on the phone itself. Google states that the data never leaves the device, is not shared with apps, and is not accessible to the company unless the user explicitly chooses to share it for purposes such as submitting a bug report.

Within this encrypted space, on-device artificial intelligence analyzes usage behavior to identify recurring routines and predict actions that may be helpful. While apps and system services can present the resulting suggestions, they do not gain access to the underlying data used to produce them. Only the prediction is exposed, not the personal information behind it.

Privacy controls are a central part of the feature’s design. Contextual data is automatically deleted after 60 days by default, and users can remove it sooner through a “Manage your data” option. The entire feature can also be disabled for those who prefer not to receive contextual prompts at all.

Contextual Suggestions has begun appearing for a limited number of users running the latest beta version of Google Play Services, although access remains inconsistent even among beta testers. This indicates that the feature is still under controlled testing rather than a full rollout. When available, it appears under Settings > Google or Google Services > All Services > Others.

Google has not yet clarified which apps support Contextual Suggestions. Based on current observations, functionality may be restricted to system-level or Google-owned apps, though this has not been confirmed. The company also mentions the use of artificial intelligence but has not specified whether older or less powerful devices will be excluded due to hardware limitations.

As testing continues, further details are expected to emerge regarding compatibility, app support, and wider availability. For now, Contextual Suggestions reflects Google’s effort to balance convenience with on-device privacy, while cautiously evaluating how such features perform across the diverse Android ecosystem.

Read more »
Mobile Security Tools
Android Android Smartphone cybersecurity breaches Cybersecurity measures iOS Mobile Security Mobile Security Tools

Swiss Startup Soverli Introduces a Sovereign OS Layer to Secure Smartphones Beyond Android and iOS

 

A Swiss cybersecurity startup, Soverli, has introduced a new approach to mobile security that challenges how smartphones are traditionally protected. Instead of relying solely on Android or iOS, the company has developed a fully auditable sovereign operating system layer that can run independently alongside existing mobile platforms. The goal is to ensure that critical workflows remain functional even if the underlying operating system is compromised, without forcing users to abandon the convenience of modern smartphones. 

Soverli’s architecture allows multiple operating systems to operate simultaneously on a single device, creating a hardened environment that is logically isolated from Android or iOS. This design enables organizations to maintain operational continuity during cyber incidents, misconfigurations, or targeted attacks affecting the primary mobile OS. By separating critical applications into an independent software stack, the platform reduces reliance on the security posture of consumer operating systems alone. 

Early adoption of the technology is focused on mission-critical use cases, particularly within the public sector. Emergency services, law enforcement agencies, and firefighting units are among the first groups testing the platform, where uninterrupted communication and system availability are essential. By isolating essential workflows from the main operating system, these users can continue operating even if Android experiences failures or security breaches. The same isolation model is also relevant for journalists and human rights workers, who face elevated surveillance risks and require secure communication channels that remain protected under hostile conditions.  

According to Soverli’s leadership, the platform represents a shift in how mobile security is approached. Rather than assuming that the primary operating system will always remain secure, the company’s model is built around resilience and continuity. The sovereign layer is designed to stay operational even when Android is compromised, while still allowing users to retain the familiar smartphone experience they expect. Beyond government and critical infrastructure use cases, the platform is gaining attention from enterprises exploring secure bring-your-own-device programs. 

The technology allows employees to maintain a personal smartphone environment alongside a tightly controlled business workspace. This separation helps protect sensitive corporate data without intruding on personal privacy or limiting device functionality. The system integrates with mobile device management tools and incorporates auditable verification mechanisms to strengthen identity protection and compliance. The underlying technology was developed over four years at ETH Zurich and does not require specialized hardware modifications. 

Engineers designed the system to minimize the attack surface for sensitive applications while encrypting data within the isolated operating system. Users can switch between Android and the sovereign environment in milliseconds, balancing usability with enhanced security. Demonstrations have shown secure messaging applications operating inside the sovereign layer, remaining confidential even if the main OS is compromised. Soverli’s approach aligns with Europe’s broader push toward digital sovereignty, particularly in areas where governments and enterprises demand auditable and trustworthy infrastructure. 

Smartphones, often considered a weak link in enterprise security, are increasingly being re-evaluated as platforms capable of supporting sovereign-grade protection without sacrificing usability. Backed by $2.6 million in pre-seed funding, the company plans to expand its engineering team, deepen partnerships with device manufacturers, and scale integrations with enterprise productivity tools. Investors believe the technology could redefine mobile security expectations, positioning smartphones as resilient platforms capable of operating securely even in the face of OS-level compromise.
Read more »
SeedSnatcher
Android ClayRat FvncBot malware SeedSnatcher

New Android Malware SeedSnatcher and FvncBot Found By Experts


New Android malware found

Researchers have revealed details of two Android malware strains called SeedSnatcher and FvncBot. Upgraded version of ClayRat was also found in the wild. 

About the malware 

FvncBot works as a security app built by mBank and attacks mobile banking users in Poland. The malware is written from scratch and is different from other banking trojans such as ERMAC whose source codes have been leaked.

According to Intel 471, the malware "implemented multiple features including keylogging by abusing Android's accessibility services, web-inject attacks, screen streaming and hidden virtual network computing (HVNC) to perform successful financial fraud."

Like the Albiriox banking malware, this trojan is shielded by a service called apk0day that Golden Crypt offers.

Attack tactic 

After the dropper app is launched, users are asked to download a Google Play component for security of the app. But in reality, it deploys the malware via session-based approach which other actors adopt to escape accessibility restrictions on Android devices version 13 and above.

According to Intel 471, "During the malware runtime, the log events were sent to the remote server at the naleymilva.it.com domain to track the current status of the bot." After this, the malware asks victims for accessibility services permission, it then gets privileges and connects to an external server. 

Malware capabilities 

FvncBot also triggers a text mode to analyze the device screen layout and content even in cases where an app doesn't allow screenshots by setting the FLAG_SECURE option. 

Experts don't yet know how FvncBot is getting widespread, but Android banking trojans leverage third-party app stores and SMS phishing as a distribution vector. 

According to Intel 471, "Android's accessibility service is intended to aid users with disabilities, but it also can give attackers the ability to know when certain apps are launched and overwrite the screen's display." 

The firm added that the sample was built to "target Polish-speaking users, it is plausible we will observe this theme shifting to target other regions or to impersonate other Polish institutions."


Beyond the immediate threat to banking and cryptocurrency users, the emergence of FvncBot, SeedSnatcher, and the upgraded ClayRat underscores a troubling evolution in mobile-malware design: an increasing shift toward “full-device takeover” rather than mere credential theft. By exploiting legitimate features, such as Android’s accessibility services, screen-streaming APIs, and overlay permissions, these trojans can invisibly hijack almost every function of a smartphone: logging keystrokes, intercepting SMS-delivered 2FA codes, capturing screen contents even when apps try to block screenshots, and executing arbitrary commands as though the real user were interacting with the device. 

This marks a new class of threat in which a compromised phone becomes a proxy tool for remote attackers: they don’t just steal data, they can impersonate the user, conduct fraudulent transactions, or monitor every digital activity. Hence, users worldwide, not only in Poland or crypto-heavy regions, must remain vigilant: the architecture these threats use is platform-wide, not region-specific, and could easily be repurposed for broader global campaigns.
Read more »
Spyware
Android Cyber Phishing Financial Data iOS malware Personal Information Spyware

How To Tell If Spyware Is Hiding On Your Phone And What To Do About It

 



Your smartphone stores personal conversations, financial data, photos, and daily movements. This concentration of information makes it attractive to attackers who rely on spyware. Spyware is malicious software that pretends to be a useful app while silently collecting information. It can arrive through phishing messages, deceptive downloads, fake mobile tools, or through legitimate apps that receive harmful updates. Even monitoring tools designed for parents or employers can be misused to track someone without their knowledge.

Spyware exists in multiple forms. One common category is nuisanceware, which appears with legitimate apps and focuses on showing unwanted ads, altering browser settings, and gathering browsing data for advertisers. Although it does not usually damage the device, it still disrupts user activity and profits from forced ad interactions. Broader mobile spyware goes further by pulling system information, clipboard content, login credentials, and data linked to financial accounts. These threats rely on tricking users through harmful emails, unsafe attachments, social media links, fake text messages, or direct physical access.

A more aggressive class of spyware overlaps with stalkerware and can monitor nearly every action on a victim’s device. These tools read messages across different platforms, intercept calls, capture audio from the environment, trigger the camera, take screenshots, log keystrokes, track travel routes, and target social media platforms. They are widely associated with domestic abuse because they allow continuous surveillance of a person’s communication and location. At the highest end is commercial spyware sold to governments. Tools like Pegasus have been used against journalists, activists, and political opponents, although everyday users are rarely targeted due to the high cost of these operations.

There are several early signs of an attempted spyware install. Strange emails, unexpected social media messages, or SMS alerts urging you to click a link are often the first step. Attackers frequently use urgent language to pressure victims into downloading malicious files, including fake delivery notices or warnings framed as bank or tax office messages. Sometimes these messages appear to come from a trusted contact. Stalkerware may require physical access, which means a phone that briefly goes missing and returns with new settings or apps could have been tampered with.

Once spyware is installed, your phone may behave differently. Rapid battery drain, overheating, sudden reboots, location settings turning on without reason, or a sharp increase in mobile data use can indicate that data is being transmitted secretly. Some variants can subscribe victims to paid services or trigger unauthorized financial activity. Even harmless apps can turn malicious through updates, so new problems after installing an app deserve attention.

On Android devices, users can review settings that control installations from outside official stores. This option usually appears in Settings > Security > Allow unknown sources, although the exact location depends on the manufacturer. Another path to inspect is Apps > Menu > Special Access > Install unknown apps, which lists anything permitted to install packages. This check is not completely reliable because many spyware apps avoid appearing in the standard app view.

Some spyware hides behind generic names and icons to blend in with normal tools such as calculators, calendars, utilities, or currency converters. If an unfamiliar app shows up, running a quick search can help determine whether it belongs to legitimate software.

For iPhones that are not jailbroken, infection is generally harder unless attackers exploit a zero-day or an unpatched flaw. Risks increase when users delay firmware updates or do not run routine security scans. While both platforms can show signs of compromise, sophisticated spyware may remain silent.

Some advanced surveillance tools operate without leaving noticeable symptoms. These strains can disguise themselves as system services and limit resource use to avoid attention.

Removing spyware is challenging because these tools are designed to persist. Most infections can be removed, but some cases may require a full device reset or, in extreme scenarios, replacing the device. Stalkerware operators may also receive alerts when their access is disrupted, and a sudden halt in data flow can signal removal.

If removing spyware could put someone at physical risk, they should avoid tampering with the device and involve law enforcement or relevant support groups.

Several approaches can help remove mobile spyware:

1. Run a malware scan: Reputable mobile antivirus tools can detect many common spyware families, though they may miss advanced variants.

2. Use dedicated removal tools: Specialized spyware removal software can help, but it must only be downloaded from trusted sources to avoid further infection.

3. Remove suspicious apps: Reviewing installed applications and deleting anything unfamiliar or unused may eliminate threats.

4. Check device administrator settings: Spyware may grant itself administrator rights. If such apps cannot be removed normally, a factory reset might be necessary.

5. Boot into Safe Mode: Safe Mode disables third-party apps temporarily, making removal easier, though advanced spyware may still persist.

6. Update the operating system: Patches often close security gaps that spyware relies on.


After discovering suspicious activity, users should take additional security steps. First, change passwords and enable biometrics: Resetting passwords on a separate device and enabling biometric locks strengthens account and device security. Secondly, create a new email address: A private email account can help regain control of linked services without alerting a stalkerware operator.

Advanced, commercial spyware demands stronger precautions. Research-based recommendations include:

• Reboot the device daily to disrupt attacks that rely on temporary exploits.

• Disable iMessage and FaceTime on iOS, as they are frequent targets for exploitation.

• Use alternative browsers such as Firefox Focus or Tor Browser to reduce exposure from browser-based exploits.

• Use a trusted VPN and jailbreak detection tools to protect against network and system-level intrusion.

• Use a separate secure device like those running GrapheneOS for sensitive communication.

Reducing the risk of future infections requires consistent precautions:

• Maintain physical device security through PINs, patterns, or biometrics.

• Install system updates as soon as they are released.

• Run antivirus scans regularly.

• Avoid apps from unofficial sources.

• Enable built-in security scanners for new installations.

• Review app permissions routinely and remove intrusive apps.

• Be cautious of suspicious links.

• Avoid jailbreaking the device.

• Enable multi-factor authentication, keeping in mind that spyware may still capture some verification codes.



Read more »
pins
Android ATM Banks debit cards Financial Breach malware NFC pins

New Android Malware Steals Debit Card Data And PINs To Enable ATM Withdrawals

 




Security researchers have identified an Android malware operation that can collect debit card details and PINs directly from a victim’s mobile device and use that information to withdraw cash from an ATM. What makes this attack particularly dangerous is that criminals never need to handle the victim’s physical bank card at any point. Instead, the entire theft is carried out through the victim’s compromised phone, wireless communication features, and a coordinated cashout attempt at an ATM.

The threat relies on a combination of social engineering and near field communication, a short-range wireless feature widely used for contactless payments on smartphones and payment cards. Once the malware is in place, it quietly monitors NFC activity on the compromised phone, captures the temporary transaction data, and sends this information to an accomplice positioned near an ATM. Because these NFC codes change quickly and are valid only for a short period, the cash withdrawal must be carried out almost immediately for the fraud to succeed.

The attackers cannot begin the operation until they convince the target to install the malicious application. To achieve this, they commonly send deceptive text messages or emails that pretend to come from a bank. These messages warn the user about false account issues or security concerns and direct them to install an app from a link. Victims are sometimes contacted through follow-up calls to reinforce the urgency and to make the request appear more legitimate. The app itself does not come from an official store and often asks for permissions it does not need, including access to financial inputs. Once a user enters their card information and PIN, the malware is ready to operate in the background.

When the victim completes a contactless transaction on their phone, the malware intercepts the NFC exchange and sends the captured data to the waiting accomplice. That person uses a phone or smartwatch to simulate the victim’s payment credential at a nearby ATM and withdraws money before the dynamic code becomes invalid. Because all steps are interconnected and time sensitive, the criminals typically coordinate their roles in advance.

This technique stands out because it exploits features designed for convenience. It does not rely on physical skimming devices or stolen cards. Instead, it abuses trusted communication processes inside the victim’s own device. The combination of fake alerts, misleading calls, unauthorized apps, and wireless data relays makes the attack appear legitimate to those who are not familiar with these tactics.


Practical steps readers should take :

• Only install banking or payment apps from official app stores or verified developer pages.

• Treat unsolicited messages or calls claiming to be from your bank as suspicious; verify alerts using the phone number printed on your card or official statements.

• Never share card numbers or PINs in response to unsolicited contacts.

• Review installed apps and revoke permissions for unknown or unnecessary apps, particularly those that request accessibility or payment access.

• Use reputable mobile security software and keep the device and apps updated; some security products can detect malicious installers and block phishing links. 

• Any suspicious alerts should be verified by contacting the bank using official phone numbers printed on cards or statements.


As cybercriminals continue to grow more layered and coordinated attacks, staying informed about these methods is essential. Understanding how such schemes operate can help individuals protect themselves and warn others before they become victims.

Read more »
Spyware
AI Android Data Internet malware Pegasus Spyware

How Spyware Steals Your Data Without You Knowing About It


You might not be aware that your smartphone has spyware, which poses a risk to your privacy and personal security. However, what exactly is spyware? 

This type of malware, often presented as a trustworthy mobile application, has the potential to steal your data, track your whereabouts, record conversations, monitor your social media activity, take screenshots of your activities, and more. Phishing, a phony mobile application, or a once-reliable software that was upgraded over the air to become an information thief are some of the ways it could end up on your phone.

Types of malware

Legitimate apps are frequently packaged with nuisanceware. It modifies your homepage or search engine settings, interrupts your web browsing with pop-ups, and may collect your browsing information to sell to networks and advertising agencies.

Nuisanceware

Nuisanceware is typically not harmful or a threat to your fundamental security, despite being seen as malvertising. Rather, many malware packages focus on generating revenue by persuading users to view or click on advertisements.

Generic mobile spyware

Additionally, there is generic mobile spyware. These types of malware collect information from the operating system and clipboard in addition to potentially valuable items like account credentials or bitcoin wallet data. Spray-and-pray phishing attempts may employ spyware, which isn't always targeted.

Stalkerware

Compared to simple spyware, advanced spyware is sometimes also referred to as stalkerware. This spyware, which is unethical and frequently harmful, can occasionally be found on desktop computers but is becoming more frequently installed on phones.

The infamous Pegasus

Lastly, there is commercial spyware of governmental quality. One of the most popular variations is Pegasus, which is sold to governments as a weapon for law enforcement and counterterrorism. 

Pegasus was discovered on smartphones owned by lawyers, journalists, activists, and political dissidents. Commercial-grade malware is unlikely to affect you unless you belong to a group that governments with ethical dilemmas are particularly interested in. This is because commercial-grade spyware is expensive and requires careful victim selection and targeting.

How to know if spyware is on your phone?

There are signs that you may be the target of a spyware or stalkerware operator.

Receiving strange or unexpected emails or messages on social media could be a sign of a spyware infection attempt. You should remove these without downloading any files or clicking any links.

Read more »
Technology
Android Google iOS Scams Technology

New Google Study Reveals Threat Protection Against Text Scams


As Cybersecurity Awareness Month comes to an end, we're concentrating on mobile scams, one of the most prevalent digital threats of our day. Over $400 billion in funds have been stolen globally in the past 12 months as a result of fraudsters using sophisticated AI tools to create more convincing schemes. 

Google study about smartphone threat protection 

Android has been at the forefront of the fight against scammers for years, utilizing the best AI to create proactive, multi-layered defenses that can detect and stop scams before they get to you. Every month, over 10 billion suspected malicious calls and messages are blocked by Android's scam defenses. In order to preserve the integrity of the RCS service, Google claims to conduct regular safety checks. It has blocked more than 100 million suspicious numbers in the last month alone.

About the research 

To highlight how fraud defenses function in the real world, Google invited consumers and independent security experts to compare how well Android and iOS protect you from these dangers. Additionally, Google is releasing a new report that describes how contemporary text scams are planned, giving you insight into the strategies used by scammers and how to identify them.

Key insights 

  • Those who reported not receiving any scam texts in the week before the survey were 58% more likely to be Android users than iOS users. The benefit was even greater on Pixel, where users were 96% more likely to report no scam texts than iPhone owners.
  • Whereas, reports of three or more scam texts in a week were 65% more common among iOS users than Android users. When comparing iPhone and Pixel, the disparity was even more noticeable, with 136% more iPhone users reporting receiving a high volume of scam messages.
  • Compared to iPhone users, Android users were 20% more likely to say their device's scam protections were "very effective" or "extremely effective." Additionally, iPhone users were 150% more likely to say their device was completely ineffective at preventing mobile fraud.  

Android smartphones were found to have the strongest AI-powered protections in a recent assessment conducted by the international technology market research firm Counterpoint Research.  

Read more »
SMiShing
Android Android Trojans Banking Google Herodotus malware SMiShing

Herodotus Trojan Mimics Human Typing to Steal Banking Credentials

 



A newly discovered Android malware, Herodotus, is alarming cybersecurity experts due to its unique ability to imitate human typing. This advanced technique allows the malware to avoid fraud detection systems and secretly steal sensitive financial information from unsuspecting users.

According to researchers from Dutch cybersecurity firm ThreatFabric, Herodotus combines elements from older malware families like Brokewell with newly written code, creating a hybrid trojan that is both deceptive and technically refined. The malware’s capabilities include logging keystrokes, recording screen activity, capturing biometric data, and hijacking user inputs in real time.


How users get infected

Herodotus spreads mainly through side-loading, a process where users install applications from outside the official Google Play Store. Attackers are believed to use SMS phishing (smishing) campaigns that send malicious links disguised as legitimate messages. Clicking on these links downloads a small installer, also known as a dropper, that delivers the actual malware to the device.

Once installed, the malware prompts victims to enable Android Accessibility Services, claiming it is required for app functionality. However, this permission gives the attacker total control,  allowing them to read content on the screen, click buttons, swipe, and interact with any open application as if they were the device owner.


The attack mechanism

After the infection, Herodotus collects a list of all installed apps and sends it to its command-and-control (C2) server. Based on this data, the operator pushes overlay pages, fake screens designed to look identical to genuine banking or cryptocurrency apps. When users open their actual financial apps, these overlays appear on top, tricking victims into entering login details, card numbers, and PINs.

The malware can also intercept one-time passwords (OTPs) sent via SMS, record keystrokes, and even stream live footage of the victim’s screen. With these capabilities, attackers can execute full-scale device takeover attacks, giving them unrestricted access to the user’s financial accounts.


The human-like typing trick

What sets Herodotus apart is its behavioral deception technique. To appear human during remote-control sessions, the malware adds random time delays between keystrokes, ranging from 0.3 to 3 seconds. This mimics natural human typing speed instead of the instant input patterns of automated tools.

Fraud detection systems that rely solely on input timing often fail to recognize these attacks because the malware’s simulated typing appears authentic. Analysts warn that as Herodotus continues to evolve, it may become even harder for traditional detection tools to identify.


Active regions and underground sale

ThreatFabric reports that the malware has already been used in Italy and Brazil, disguising itself as apps named “Banca Sicura” and “Modulo Seguranca Stone.” Researchers also found fake login pages imitating popular banking and cryptocurrency platforms in the United States, United Kingdom, Turkey, and Poland.

The malware’s developer, who goes by the alias “K1R0” on underground forums, began offering Herodotus as a Malware-as-a-Service (MaaS) product in September. This means other cybercriminals can rent or purchase it for use in their own campaigns, further increasing the likelihood of global spread.

Google confirmed that Play Protect already blocks known versions of Herodotus. Users can stay protected by avoiding unofficial downloads, ignoring links in unexpected text messages, and keeping Play Protect active. It is also crucial to avoid granting Accessibility permissions unless an app’s legitimacy is verified.

Security professionals advise enabling stronger authentication methods, such as app-based verification instead of SMS-based codes, and keeping both system and app software regularly updated.


Read more »
Privacy Issues
Android data security Data tracking Google Maps iOS Open Source Privacy Privacy Issues

CoMaps: The Open-Source, Privacy-Focused Google Maps Alternative You’ll Actually Want to Use

 

Google Maps may be convenient, but for some users, its constant tracking and battery drain are reason enough to look for an alternative. One such option is CoMaps, an open-source navigation app built for privacy and efficiency. Users frustrated by Google’s monthly location reports or the high battery consumption of Maps may find CoMaps to be a refreshing change. 

CoMaps is a fork of Organic Maps, which itself evolved from the earlier project MapsWithMe, later acquired by the Russian-based Maps.ru group. Like its predecessors, CoMaps uses OpenStreetMap data — a community-driven platform that emphasizes transparency and collaboration. The app, available for both Android and iOS, stands out for its offline usability and no-tracking policy. 

Unlike Google Maps, CoMaps collects no personal information, doesn’t serve ads, and doesn’t require a constant internet connection. It offers offline search, route planning, and voice-guided navigation while consuming far less battery power. Users can download regional maps, mark and save favorite spots, view subway maps, and even access offline Wikipedia articles for added context. Another standout feature is CoMaps’ outdoor mode, designed for hiking and biking. 

This mode highlights trails, campsites, points of interest, and even water sources — making it ideal for travelers and adventurers who prefer staying disconnected from the grid. The built-in map editor also lets users contribute directly to improving OpenStreetMap data, reinforcing the app’s community-driven philosophy. Setting up CoMaps is simple. Users can download only the maps they need, saving space and allowing seamless offline use. Once downloaded, navigation feels intuitive — nearly identical to Google Maps. 

Directions are clear, and the app supports distance measurements in both kilometers and miles, customizable through the settings. Since its release on the Google Play Store and Apple App Store in July, CoMaps has quickly gained attention as a reliable Google Maps replacement. Its focus on privacy, performance, and transparency appeals to users who are increasingly wary of data tracking. 

For those who value privacy and want a lighter, more ethical alternative to big tech navigation tools, CoMaps offers a balanced blend of simplicity, functionality, and digital independence. It’s free, open-source, and ready to use — without following you everywhere you go.
Read more »
Phone
Android Apple Bank Accounts Cyber Security Data Email Identity Theft MFA Phone

Lost or Stolen Phone? Here’s How to Protect Your Data and Digital Identity

 



In this age, losing a phone can feel like losing control over your digital life. Modern smartphones carry far more than contacts and messages — they hold access to emails, bank accounts, calendars, social platforms, medical data, and cloud storage. In the wrong hands, such information can be exploited for financial fraud or identity theft.

Whether your phone is misplaced, stolen, or its whereabouts are unclear, acting quickly is the key to minimizing damage. The following steps outline how to respond immediately and secure your data before it is misused.


1. Track your phone using official recovery tools

Start by calling your number to see if it rings nearby or if someone answers. If not, use your device’s official tracking service. Apple users can access Find My iPhone via iCloud, while Android users can log in to Find My Device.

These built-in tools can display your phone’s current or last known location on a map, play a sound to help locate it, or show a custom message on the lock screen with your contact details. Both services can be used from another phone or a web browser. Avoid third-party tracking apps, which are often unreliable or insecure.


2. Secure your device remotely

If recovery seems unlikely or the phone may be in someone else’s possession, immediately lock it remotely. This prevents unauthorized access to your personal files, communication apps, and stored credentials.

Through iCloud’s “Mark as Lost” or Android’s “Secure Device” option, you can set a new passcode and display a message requesting the finder to contact you. This function also disables features like Apple Pay until the device is unlocked, protecting stored payment credentials.


3. Contact your mobile carrier without delay

Reach out to your mobile service provider to report the missing device. Ask them to suspend your SIM to block calls, texts, and data usage. This prevents unauthorized charges and, more importantly, stops criminals from intercepting two-factor authentication (2FA) messages that could give them access to other accounts.

Request that your carrier blacklist your device’s IMEI number. Once blacklisted, it cannot be used on most networks, even with a new SIM. If you have phone insurance, inquire about replacement or reimbursement options during the same call.


4. File an official police report

While law enforcement may not always track individual devices, filing a report creates an official record that can be used for insurance claims, fraud disputes, or identity theft investigations.

Provide details such as the model, color, IMEI number, and the time and place where it was lost or stolen. The IMEI (International Mobile Equipment Identity) can be found on your phone’s box, carrier account, or purchase receipt.


5. Protect accounts linked to your phone

Once the device is reported missing, shift your focus to securing connected accounts. Start with your primary email, cloud services, and social media platforms, as they often serve as gateways to other logins.

Change passwords immediately, and if available, sign out from all active sessions using the platform’s security settings. Apple, Google, and Microsoft provide account dashboards that allow you to remotely sign out of all devices.

Enable multi-factor authentication (MFA) on critical accounts if you haven’t already. This adds an additional layer of verification that doesn’t rely solely on your phone.

Monitor your accounts closely for unauthorized logins, suspicious purchases, or password reset attempts. These could signal that your data is being exploited.


6. Remove stored payment methods and alert financial institutions

If your phone had digital wallets such as Apple Pay, Google Pay, or other payment apps, remove linked cards immediately. Apple’s Find My will automatically disable Apple Pay when a device is marked as lost, but it’s wise to verify manually.

Android users can visit payments.google.com to remove cards associated with their Google account. Then, contact your bank or card issuer to flag the loss and monitor for fraudulent activity. Quick reporting allows banks to block suspicious charges or freeze affected accounts.


7. Erase your device permanently (only when recovery is impossible)

If all efforts fail and you’re certain the device won’t be recovered, initiate a remote wipe. This deletes all data, settings, and stored media, restoring the device to factory condition.

For iPhones, use the “Erase iPhone” option under Find My. For Androids, use “Erase Device” under Find My Device. Once wiped, you will no longer be able to track the device, but it ensures that your personal data cannot be accessed or resold.


Be proactive, not reactive

While these steps help mitigate damage, preparation remains the best defense. Regularly enable tracking services, back up your data, use strong passwords, and activate device encryption. Avoid storing sensitive files locally when possible and keep your operating system updated for the latest security patches.

Losing a phone is stressful, but being prepared can turn a potential disaster into a controlled situation. With the right precautions and quick action, you can safeguard both your device and your digital identity.



Read more »
Fake Apps
Android Android Banking Trojan Android Trojans Banking Trojan Credential Theft Cyber Attacks Fake Apps

Datzbro Android Banking Trojan Targets Seniors With Device-Takeover Attacks

 

Researchers have uncovered a previously undocumented Android banking trojan, dubbed Datzbro, that is being used in device-takeover campaigns aimed squarely at older adults. ThreatFabric, a Dutch mobile security firm, first tied the activity to a social-engineering network in August 2025 after reports emerged of Facebook groups in Australia advertising “active senior trips” that were in fact recruitment channels for the scam. The operation has been observed in multiple countries, including Singapore, Malaysia, Canada, South Africa and the U.K., and relies on community-focused messaging to build trust before delivering malware. 

The attackers create convincing Facebook groups and AI-generated posts promoting local events for seniors. When a target shows interest, operators move the conversation to Facebook Messenger or WhatsApp and push a link to download a so-called community app—usually an APK hosted on a fraudulent domain. Those sites promise event registration and networking features but deliver an installer that either installs Datzbro directly or drops a secondary loader built with an APK-binding service called Zombinder, which helps bypass protections introduced in Android 13 and later. Some evidence suggests the fraudsters are preparing iOS TestFlight lures as well, indicating cross-platform ambitions. 

Analysts have cataloged multiple malicious app package names used to distribute the trojan, from innocuous-sounding “Senior Group” and “Lively Years” to variants masquerading as popular Chinese apps or tools. Once installed, Datzbro grants itself extensive permissions and weaponizes Android accessibility services to perform actions on behalf of the attacker. It can record audio, capture photos, harvest files, log keystrokes and overlay semi-transparent screens to hide malicious activity from victims. A distinctive feature is its “schematic remote control” mode, which reports screen layout, element positions and content back to operators so they can reconstruct interfaces remotely and direct the device as if they were looking over the victim’s shoulder. 

The trojan also filters accessibility event logs for bank or wallet package names and scans for text resembling PINs, passwords or transaction codes. If it finds credentials in cookies or other storage, Datzbro exfiltrates them to the attackers’ back end; it can even steal lock-screen PINs and compromise popular Chinese payment apps such as Alipay and WeChat. ThreatFabric noted Chinese debug strings and a Chinese-language desktop command-and-control application tied to the campaign, suggesting the authors are Chinese-speaking. A compiled C2 client reportedly leaked to public malware repositories, which may accelerate wider abuse by other criminals. 

Datzbro’s discovery comes amid broader mobile-banking malware activity. IBM X-Force has described a related AntiDot campaign called PhantomCall that similarly abuses Android features and sideloaded droppers to bypass modern OS protections, while PRODAFT has documented MaaS-style offerings for actors aiming at global banks. Together, these trends reflect a sustained move toward targeted social engineering that exploits community trust to coax vulnerable users into installing powerful remote-control malware. 

The rapid evolution of these threats underscores the need for heightened public awareness—especially among seniors—tighter app-distribution controls, and stronger defenses around accessibility permissions and sideloaded software.
Read more »
Trojan
Android cryptocurrency malware MFA NFC Ransomware RatON TikTok Trojan

RatOn Android Trojan Expands Into Full Remote Access Threat Targeting Banks and Crypto

 



A new Android malware strain called RatOn has rapidly evolved from a tool limited to NFC relay attacks into a sophisticated remote access trojan with the ability to steal banking credentials, hijack cryptocurrency wallets, and even lock users out of their phones with ransom-style screens. Researchers warn the malware is under active development and combines multiple attack methods rarely seen together in one mobile threat.

How It Spreads

RatOn is being distributed through fake websites designed to look like the Google Play Store. Some of these pages advertise an adult-themed version of TikTok called “TikTok 18+.” Once victims install the dropper app, it requests permission to install software from unknown sources, bypassing Android’s built-in safeguards. The second-stage payload then seeks administrator and accessibility permissions, along with access to contacts and system settings, giving it deep control of the device. From there, RatOn can download an additional component called NFSkate, a modified version of the NFCGate tool, enabling advanced relay attacks known as “ghost taps.”


Capabilities and Tactics

The trojan’s abilities are wide-ranging:

1. Overlays and ransomware screens: RatOn can display fake login pages to steal credentials or lock the device with alarming ransom notes. Some overlays falsely accuse users of viewing child exploitation content and demand $200 in cryptocurrency within two hours to regain access.

2. Banking and crypto theft: It specifically targets cryptocurrency wallets such as MetaMask, Trust Wallet, Blockchain.com, and Phantom. By capturing PIN codes and recovery phrases, the malware enables attackers to take over accounts and steal assets. It can also perform automated transfers inside George ÄŒesko, a Czech banking app, by simulating taps and inputs.

3. NFC relay attacks: Through NFSkate, RatOn can remotely use victims’ card data for contactless payments.

4. Remote commands: The malware can change device settings, send fake push notifications, send SMS messages, add contacts, record screens, launch apps like WhatsApp and Facebook, lock the phone, and update its target list of financial apps.

Researchers noted RatOn shares no code with other Android banking trojans and appears to have been built from scratch. A similar trend has been seen before: the HOOK trojan, another Android threat, also experimented with ransomware-style overlays.


Development and Targets

The first sample of RatOn was detected on July 5, 2025, with further versions appearing as recently as August 29, pointing to ongoing development. Current attacks focus mainly on users in the Czech Republic and Slovakia. Investigators believe the need for local bank account numbers in automated transfers suggests possible collaboration with regional money mules.


Why It Matters

RatOn’s integration of overlay fraud, ransomware intimidation, NFC relay, and automated transfers makes it unusually powerful. By combining old tactics with new automation, it raises the risk of large-scale theft from both traditional banking users and cryptocurrency holders.

Users can reduce exposure by downloading apps only from official stores, refusing risky permissions for unknown apps, keeping devices updated, and using strong multi-factor authentication on financial accounts. For cryptocurrency, hardware wallets that keep recovery phrases offline provide stronger protection. Anyone who suspects infection should immediately alert their bank and seek professional removal help.


Read more »
Privacy
Android Compliance Developers Google Play Store Privacy

Google to Confirm Identity of Every Android App Developer

 







Google announced a new step to make Android apps safer: starting next year, developers who distribute apps to certified Android phones and tablets, even outside Google Play, will need to verify their legal identity. The change ties every app on certified devices to a named developer account, while keeping Android’s ability to run apps from other stores or direct downloads intact. 

What this means for everyday users and small developers is straightforward. If you download an app from a website or a third-party store, the app will now be linked to a developer who has provided a legal name, address, email and phone number. Google says hobbyists and students will have a lighter account option, but many independent creators may choose to register as a business to protect personal privacy. Certified devices are the ones that ship with Google services and pass Google’s compatibility tests; devices that do not include Google Play services may follow different rules. 

Google’s stated reason is security. The company reported that apps installed from the open internet are far more likely to contain malware than apps on the Play Store, and it says those risks come mainly from people hiding behind anonymous developer identities. By requiring identity verification, Google intends to make it harder for repeat offenders to publish harmful apps and to make malicious actors easier to track. 

The rollout is phased so developers and device makers can prepare. Early access invitations begin in October 2025, verification opens to all developers in March 2026, and the rules take effect for certified devices in Brazil, Indonesia, Singapore and Thailand in September 2026. Google plans a wider global rollout in 2027. If you are a developer, review Google’s new developer pages and plan to verify your account well before your target markets enforce the rule. 

A similar compliance pattern already exists in some places. For example, Apple requires developers who distribute apps in the European Union to provide a “trader status” and contact details to meet the EU Digital Services Act. These kinds of rules aim to increase accountability, but they also raise questions about privacy, the costs for small creators, and how “open” mobile platforms should remain. Both companies are moving toward tighter oversight of app distribution, with the goal of making digital marketplaces safer and more accountable.

This change marks one of the most significant shifts in Android’s open ecosystem. While users will still have the freedom to install apps from multiple sources, developers will now be held accountable for the software they release. For users, it could mean greater protection against scams and malicious apps. For developers, especially smaller ones, it signals a new balance between maintaining privacy and ensuring trust in the Android platform.


Read more »
Technology
AI Android Cloud Internet SIM Swapping Technology

Beware of SIM swapping attacks, your phone is at risk


In today’s digital world, most of our digital life is connected to our phone numbers, so keeping them safe becomes a necessity. Sad news: hackers don’t need your phone to access your number. 

What is SIM swapping?

Also known as SIMjacking, SIM swapping is a tactic where a cybercriminal convinces your ISP to port your phone number to their own SIM card. This results in the user losing access to their phone number and service provider, while the cybercriminal gains full access. 

To convince the ISP of a SIM swap, the threat actor has to know about you. They can get the information from data breaches available on the dark web. You might also get tricked by a phishing scam and end up giving your info, or the threat actor may harvest your social media in case you have public information. 

Once the information is received, the threat actor calls the customer support, requesting to move your number to a new SIM card. In most cases, your carrier doesn’t need much convincing. 

Threats concerning SIM swapping

An attacker with your phone number can impersonate you to friends and family, and extort money. Your phone security is also at risk, as most online services ask for your phone number for account recovery. 

SIM swapping is dangerous as SMS based two-factor-authentication is still in use. Many services require us to activate 2FA on our accounts, and sometimes through SMS. 

You can also check your carrier’s website to see if there’s any option to deactivate SIM change requests. This way, you can secure your phone number. 

But when this isn’t available with your carrier, look out for the option to enable a PIN or secret phrase. A few companies allow users to set these, and call you back to confirm about your account.

How to stay safe from SIM swapping?

Avoid using 2FA; use passkeys.

Use a SIM PIN for your phone to lock your SIM card.

Read more »
Software
Android BadBox threat Credential Theft FBI malware Software

FBI Issues Urgent Warning: Millions of Android Devices Compromised by Malware Operation

 


A dangerous malware campaign known as BadBox 2.0 has infected more than 10 million Android-powered devices, according to a recent alert from the FBI and major cybersecurity researchers. Users are being advised to immediately disconnect any suspicious smart devices connected to their home networks.

This large-scale cyberattack targets a range of low-cost electronics, such as smart TVs, tablets, digital picture frames, car infotainment systems, and streaming boxes, many of which are manufactured by lesser-known brands and sold at discounted prices. Authorities warn that these products may already be infected before leaving the factory.


How Are Devices Getting Infected?

Investigators say that the malware is often pre-installed into the system’s firmware, meaning it’s embedded into the device itself. In some cases, users unknowingly allow the malware in when accepting software updates or installing apps from unofficial sources.

Once active, the malware can silently take over the infected device, turning it into part of a global botnet. These infected devices are then used by cybercriminals for illegal activities like online ad fraud, credential theft, and hiding internet traffic through proxy networks.

The LAT61 Threat Intelligence Team at Point Wild helped trace how the malware operates. They discovered that the malware secretly converts devices into residential proxy nodes, making it hard to detect while still carrying out harmful actions behind the scenes.


What Are Google and the FBI Doing?

In response to the threat, Google has taken legal action against the individuals behind BadBox 2.0 and has updated its Google Play Protect system to block apps associated with the malware. The FBI, through alert I-060525-PSA, has also issued a detailed warning and urged users to take caution, especially with devices from unverified brands.

The team at Human Security, which first exposed the malware operation, confirmed that multiple hacker groups contributed to building and maintaining the botnet infrastructure. Their CEO praised the collaboration between cybersecurity firms, law enforcement, and tech companies to take down the threat.


A New Threat Also Detected

Meanwhile, researchers from GreyNoise have reported signs of another emerging cyber threat, this time involving VoIP (Voice over Internet Protocol) devices. Their investigation revealed a spike in activity where hackers are attempting to gain access to poorly secured systems using default or weak passwords. These devices are often older, rarely updated, and left exposed to the internet, making them easy targets.


What Should You Do?

The FBI advises users to look out for the following red flags:

1. Devices requiring you to turn off Google Play Protect

2. Gadgets that offer “fully unlocked” or “free streaming” features

3. Unfamiliar or generic brand names

4. Apps from third-party app stores

5. Unexpected internet activity from your devices


If you notice any of these signs, disconnect the device from your network immediately and consider replacing it with a trusted brand.

Read more »
Subscribe to: Comments (Atom)