Android malware Archives

AppWizard

May 5, 2026

FEMITBOT Network Abuses Telegram Mini Apps for Crypto Scams and Android Malware

A fraud network called FEMITBOT has emerged, using Telegram's Mini App feature to conduct investment scams and distribute malware. Identified by the research firm CTM360, the network operates through API responses and presents itself as organized. The scams involve Telegram Mini Apps that display phishing pages, fake dashboards showing fictitious earnings, and urgency tactics to pressure users into making quick decisions. FEMITBOT mimics well-known brands like Apple and Coca-Cola to enhance credibility and disseminates Android malware disguised as legitimate applications. The operation is highly organized, utilizing marketing tools to optimize their scams. Users are warned to be cautious of bots requesting deposits before granting access to funds.

BetaBeacon

May 5, 2026

ScarCruft hackers push BirdCall Android malware via game platform

APT37, also known as ScarCruft and Ricochet Chollima, has developed an Android version of the backdoor BirdCall, which serves as spyware in addition to a backdoor. The malware was delivered through a Chinese website that hosts games for Android, iOS, and Windows, targeting only Android and Windows systems. The Android variant of BirdCall has capabilities such as extracting IP geolocation information, collecting contact lists, call logs, SMS data, device information, taking screenshots, recording audio, and exfiltrating files. Users are advised to download software only from official marketplaces and trusted publisher sites to protect against malware infections.

AppWizard

May 3, 2026

Telegram Mini Apps abused for crypto scams, Android malware delivery

Cybersecurity researchers have identified a fraud operation named FEMITBOT that exploits Telegram’s Mini App feature to conduct various crypto scams, impersonate reputable brands, and distribute Android malware. This operation uses a unique string in API responses and employs Telegram bots with embedded Mini Apps to create convincing app-like experiences. The scams include fraudulent cryptocurrency platforms and financial services, with impersonation of brands like Apple, Coca-Cola, Disney, eBay, IBM, Moon Pay, NVIDIA, and YouKu. The operation utilizes a shared backend infrastructure, allowing multiple phishing domains to use the same API response. Users interacting with the bots are shown phishing pages within Telegram’s WebView, often featuring fake balances and urgency tactics to prompt deposits or referrals. Additionally, some Mini Apps attempt to distribute malware disguised as legitimate Android APKs. Users are advised to be cautious when engaging with Telegram bots related to cryptocurrency investments and to avoid sideloading APK files.

AppWizard

April 28, 2026

10,000 Users Exposed As Fake Document Reader App Delivers Anatsa Banking Trojan

Security researchers from ThreatLabz discovered a malicious document reader app on the Google Play Store that delivered the Anatsa Android banking trojan. The app, which had over 10,000 downloads before its removal, disguised itself as a legitimate file management tool using the package name com.groundstation.informationcontrol.filestationbrowsefilesreaddocs. It employed a "dropper" technique to hide its malicious code, connecting to an external server to retrieve the malware payload after installation. Anatsa is designed to steal financial information by overlaying a fake login screen over legitimate banking apps, capturing user credentials and enabling unauthorized transactions. Users are advised to delete the app and monitor their financial accounts. Technical indicators for identifying infections include the Anatsa Installer SHA256 (5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20), Payload URL (http://23.251.108[.]10:8080/privacy.txt), Payload SHA256 Hash (88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f), and Command and Control servers (http://172.86.91[.]94/api/ and http://193.24.123[.]18:85/api/).

AppWizard

April 21, 2026

Trojanized Android App Fuels New Wave of NFC Fraud

A new variant of the NGate malware family has emerged, using a trojanized Android application to capture payment card data and personal identification numbers (PINs). This modified version of HandyPay, a legitimate NFC relay app, has been distributed since November 2025, primarily targeting users in Brazil. The malware intercepts NFC payment card data and allows fraudulent transactions. Two distinct malware samples have been observed, delivered through phishing infrastructure that impersonates a Brazilian lottery site and a Google Play listing for a card protection tool. The trojanized app captures NFC data, requests the victim's card PIN, and transmits this information to attacker-controlled infrastructure. It requires minimal permissions, leveraging its role as the default payment application to evade detection. Evidence suggests that generative AI tools may have been used in its development, indicated by emoji markers in debug logs. ESET has reported its findings to Google, and Google Play Protect can detect known versions of the malware. The developer of HandyPay is investigating the misuse of its application.

AppWizard

April 21, 2026

NGate Android malware uses HandyPay NFC app to steal card data

A new variant of the NGate malware targets Android users by disguising itself within a trojanized version of the HandyPay app, which is a legitimate mobile payment processing application. This malware, documented since mid-2024, siphons payment card information through the mobile device's near-field communication (NFC) chip and sends the stolen data directly to attackers, who create virtual cards for unauthorized purchases or cash withdrawals from NFC-enabled ATMs. The new variant has been injected with malicious code into the HandyPay app, which has been available on Google Play since 2021. The code includes emojis, indicating the possible use of a generative AI tool in its development. The shift from previous iterations, which used an open-source tool named NFCGate, to HandyPay is likely motivated by financial considerations and the need for evasion, as HandyPay is more affordable and requires fewer permissions. This NGate variant has been active since November 2025, primarily targeting Android devices in Brazil. It employs two main distribution methods: a counterfeit app named “Proteção Cartão” hosted on a fraudulent Google Play page and a fake lottery website that redirects users to WhatsApp to download the malicious APK. Upon installation, the app prompts users to set it as their default NFC payment application, requests their card PIN, and instructs them to tap their card on the phone for reading, transmitting all collected information to an attacker's email address. To protect against such threats, Android users are advised to avoid downloading APKs from outside Google Play, disable NFC when not in use, and use Play Protect to scan for threats.

AppWizard

April 21, 2026

New NGate Android malware variant uses NFC app to steal card data

A new variant of the NGate Android malware exploits a legitimate NFC payment app, HandyPay, to steal users' card information and PINs, enabling unauthorized contactless transactions. This malicious version of HandyPay, which has been available since 2021, was identified by ESET researchers and is distributed through a fraudulent lottery website and a fake Google Play page. The malware captures sensitive information by prompting users to enter their payment card PIN and tap their card against the device, sending the data to an attacker-controlled phone and exfiltrating the PIN to a command-and-control server. The campaign employs social engineering tactics and requires minimal permissions, relying on users to enable app installations from unknown sources. The attackers use a centralized infrastructure for malware distribution and PIN collection, with evidence of compromised devices in Brazil. The shift to modifying a legitimate application is motivated by financial incentives, as it offers similar functionality at a lower cost compared to underground tools. Users are advised to avoid installing apps from unofficial sources and to ensure the legitimacy of applications before entering sensitive information.

Tech Optimizer

April 18, 2026

Avast Antivirus: Free Protection Faces Premium Competition Pressure

Avast Antivirus offers a free version with features like real-time scanning, malware detection, a ransomware shield, and network security, appealing to budget-conscious users on multiple platforms. It has a lightweight design, regular updates, and community-driven threat intelligence. Gen Digital acquired Avast in 2022 and integrated it into its cybersecurity portfolio, focusing on transitioning users from free to premium services and emphasizing AI-driven threat detection. Avast faces competition from free alternatives like Windows Defender and premium solutions such as Bitdefender and Kaspersky, while regulatory scrutiny affects all providers. The demand for antivirus tools is driven by rising ransomware attacks and data breaches, with remote work increasing the need for endpoint protection. Risks for users include performance issues on older devices, false positives, data privacy concerns, and potential subscription traps. Future updates may incorporate more AI features, and partnerships with hardware manufacturers could expand Avast's market reach.

AppWizard

April 17, 2026

New RecruitRat, SaferRat, Astrinox, Massiv Android Malware Found Targeting 800 Apps

Cybersecurity researchers from Zimperium zLabs have identified four families of Android malware—RecruitRat, SaferRat, Astrinox, and Massiv—targeting banking and cryptocurrency applications. These malware families can extract sensitive information from over 800 applications. They primarily use phishing and smishing to lure users into downloading malicious software. Phishing involves creating fake websites resembling legitimate login pages, while smishing uses urgent text messages with links to download harmful payloads. RecruitRat targets job seekers with fake employment websites, and SaferRat promises free access to premium video services. Astrinox mimics a business tool and has been linked to a fraudulent Apple App Store page, while Massiv's distribution methods remain unclear. Once installed, these malware applications initiate Overlay attacks, displaying counterfeit screens to capture user credentials. They also use a "blindfold" technique to obscure their activities by overlaying static images on the user's screen. The malware can intercept security codes, capture one-time passwords, and employ keylogging techniques. RecruitRat has a library of over 700 counterfeit login pages that activate with targeted apps. Researchers recommend avoiding links in urgent messages and downloading apps only from official sources.

Tech Optimizer

April 16, 2026

MiningDropper Android Malware Exploits Lumolight App

Researchers at Cyble Research and Intelligence Labs (CRIL) have discovered an Android malware framework called MiningDropper, which is being used in various campaigns to distribute malicious payloads such as cryptocurrency miners, infostealers, Remote Access Trojans (RATs), and banking malware. Over 1,500 MiningDropper samples were detected in one month, with many showing minimal antivirus detection. MiningDropper operates as a multi-stage delivery framework that employs techniques like XOR-based obfuscation and AES encryption to evade detection. A recent variant uses a trojanized version of the Lumolight application as the initial infection vector, often spread through phishing links and fraudulent websites. The malware executes a series of stages, starting with decrypting an embedded asset and loading additional payloads, including a counterfeit Google Play update interface to deceive users. Two main campaign clusters have been identified: an infostealer campaign targeting Indian users by impersonating trusted entities, and a global campaign distributing the BTMOB RAT, which enables credential theft and device takeover. The final payload capabilities include extracting sensitive data, enabling full device compromise, facilitating financial fraud, and unauthorized cryptocurrency mining. MiningDropper's modularity allows it to adapt and scale across various campaigns while maintaining low detection rates.