Android malware Archives

AppWizard

June 8, 2026

NFCShare Android malware spreads via fake banking app updates on GitHub

New variants of the NFCShare Android malware are disguised as fake updates for legitimate banking applications and are targeting customers of various banks in Europe through a phishing campaign to steal sensitive payment card data. The malware prompts victims to place their cards near the NFC chip of their mobile devices, using Android’s IsoDep interface to read card information, including card number, type, expiry date, and a 4-digit PIN. The stolen data is exfiltrated to the attacker’s command-and-control host via a WebSocket channel. Recent attacks began on May 14, with victims directed to a phishing site that impersonates a legitimate bank and then to a GitHub repository hosting a malicious APK file. The repository has hosted 56 unique APKs impersonating banking applications primarily from Italy and Spain. The malware has evolved from initially targeting Deutsche Bank in Germany to a broader range of banks. The latest version features malformed APK packaging to complicate automated analysis. Users are advised to download banking applications only from Google Play and to be cautious of verification requests that ask for NFC card scans.

AppWizard

June 2, 2026

Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at Risk

A significant security vulnerability has been found in six Microsoft 365 Android applications, including Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote, due to an active debug flag left in the production code. This oversight allowed untrusted apps to request and receive access tokens, compromising user account security. An attacker could exploit this vulnerability by embedding malicious code in a widely distributed app, enabling unauthorized access to sensitive information such as emails, documents, and communications. Microsoft confirmed the issues and issued CVE numbers CVE-2026-41100, -41101, and -41102, releasing patches through their Patch Tuesday mechanism and a specific patched build on the Google Play Store. Users are advised to update their applications to mitigate the risk.

Tech Optimizer

May 27, 2026

WHAT THE TECH? Smartphone anti-virus

Antivirus software is not a necessity for most smartphone users, as the nature of threats has evolved. iPhones isolate apps from the core system, making traditional antivirus scans ineffective; threats mainly come from scams like phishing links and deceptive messages. Android devices allow sideloading, increasing the risk of malware from unofficial sources. The primary dangers for users include phishing texts, fake login pages, scam calls, and social engineering tactics. To enhance security, users should keep their operating systems updated, use strong passwords, enable two-factor authentication, avoid suspicious links, and refrain from installing apps from unknown sources. Antivirus apps may be beneficial in specific situations, such as frequent link clicking or downloading from unfamiliar sites, with reputable options available for added protection against scams and unsafe websites.

Tech Optimizer

May 21, 2026

What the Tech? Antivirus protection for your smartphone

Most users do not require an antivirus app on their smartphones, as the predominant threats are scams such as phishing texts and fraudulent websites rather than traditional viruses. iPhones operate on a design that isolates apps, limiting the effectiveness of antivirus software, while Android devices allow sideloading, which can increase the risk of malware. The real danger lies in deception tactics used by cybercriminals, making personal account security more important than antivirus software. To enhance security, users should keep their operating systems updated, use strong passwords, enable two-factor authentication, avoid suspicious links, and refrain from installing apps from unknown sources. Antivirus apps may be beneficial for users who frequently click on unverified links, download files from unfamiliar sites, or engage in Android sideloading. Reputable security apps focus on scam detection and web protection rather than traditional virus scanning.

AppWizard

May 12, 2026

This devious Android malware has returned disguised as TikTok or streaming apps — and is now using blockchain to remain undetected

Researchers at ThreatFabric have identified a new variant of the TrickMo banking trojan, named TrickMo.C, targeting Android users in Europe since January 2026. TrickMo.C disguises itself as popular applications like TikTok and streaming services, using tactics such as phishing overlays to harvest login credentials and sensitive information. It can log keystrokes, record screens, livestream content, intercept SMS messages, suppress OTP notifications, modify the clipboard, filter notifications, and capture screenshots. The primary targets are in France, Italy, and Austria, allowing unauthorized access to bank accounts and cryptocurrency wallets. TrickMo.C distinguishes itself by using the TON network for communication, which enhances anonymity and complicates detection efforts.

AppWizard

May 12, 2026

TrickMo Android Malware Targets Banking, Wallet, and Authenticator Apps

TrickMo, an Android banking malware, has re-emerged with enhanced stealth and operational capabilities, targeting banking, fintech, wallet, and authenticator apps. It retains its core device takeover abilities while improving stealth, persistence, and flexibility. The malware persuades users to grant accessibility permissions, allowing full remote control, including real-time screen viewing. A significant advancement is its shift to The Open Network (TON) for command-and-control communication, complicating takedown efforts. TrickMo has been actively deployed in France, Italy, and Austria since early 2026, using fake login overlays to capture credentials while recording user activity. It communicates through .adnl endpoints within the TON network and employs DNS-over-HTTPS for encrypted DNS queries. The malware's modular design includes a primary application as a loader and a dynamically loaded APK module called “dex.module” for malicious capabilities. It features network reconnaissance and tunneling capabilities, allowing commands like HTTP probing and establishing SSH tunnels, which can bypass fraud detection systems. Dormant features suggest potential for future capabilities without altering the core application. Indicators of compromise include specific SHA-256 hashes and package names associated with TrickMo's various components.

BetaBeacon

May 9, 2026

7 Addictive Card and Strategy Games Android Users Should Try in 2026

Hearthstone has a Google Play rating of 4.1+ and has been downloaded over 100 million times.

AppWizard

May 5, 2026

FEMITBOT Network Abuses Telegram Mini Apps for Crypto Scams and Android Malware

A fraud network called FEMITBOT has emerged, using Telegram's Mini App feature to conduct investment scams and distribute malware. Identified by the research firm CTM360, the network operates through API responses and presents itself as organized. The scams involve Telegram Mini Apps that display phishing pages, fake dashboards showing fictitious earnings, and urgency tactics to pressure users into making quick decisions. FEMITBOT mimics well-known brands like Apple and Coca-Cola to enhance credibility and disseminates Android malware disguised as legitimate applications. The operation is highly organized, utilizing marketing tools to optimize their scams. Users are warned to be cautious of bots requesting deposits before granting access to funds.

BetaBeacon

May 5, 2026

ScarCruft hackers push BirdCall Android malware via game platform

APT37, also known as ScarCruft and Ricochet Chollima, has developed an Android version of the backdoor BirdCall, which serves as spyware in addition to a backdoor. The malware was delivered through a Chinese website that hosts games for Android, iOS, and Windows, targeting only Android and Windows systems. The Android variant of BirdCall has capabilities such as extracting IP geolocation information, collecting contact lists, call logs, SMS data, device information, taking screenshots, recording audio, and exfiltrating files. Users are advised to download software only from official marketplaces and trusted publisher sites to protect against malware infections.

AppWizard

May 3, 2026

Telegram Mini Apps abused for crypto scams, Android malware delivery

Cybersecurity researchers have identified a fraud operation named FEMITBOT that exploits Telegram’s Mini App feature to conduct various crypto scams, impersonate reputable brands, and distribute Android malware. This operation uses a unique string in API responses and employs Telegram bots with embedded Mini Apps to create convincing app-like experiences. The scams include fraudulent cryptocurrency platforms and financial services, with impersonation of brands like Apple, Coca-Cola, Disney, eBay, IBM, Moon Pay, NVIDIA, and YouKu. The operation utilizes a shared backend infrastructure, allowing multiple phishing domains to use the same API response. Users interacting with the bots are shown phishing pages within Telegram’s WebView, often featuring fake balances and urgency tactics to prompt deposits or referrals. Additionally, some Mini Apps attempt to distribute malware disguised as legitimate Android APKs. Users are advised to be cautious when engaging with Telegram bots related to cryptocurrency investments and to avoid sideloading APK files.