A new type of malware has emerged that targets smartphone users by inflating phone bills through unauthorized carrier subscriptions. Discovered by cybersecurity firm Zimperium, this operation involves nearly 250 counterfeit Android applications that impersonate popular apps like TikTok and Instagram. Once downloaded, the malware uses advanced techniques such as JavaScript injection and SIM card access to enroll users in fictitious premium services without their knowledge. The scam has primarily affected users in Malaysia, Romania, Thailand, and Croatia, with Malaysia accounting for 85% of the victims. Google has confirmed that these malicious apps are not available on the Play Store and that users are protected by Google Play Protect. Despite a peak in activity in September 2025, parts of the scam's infrastructure remain operational, with the last recorded activity in January 2026. Users are advised to practice online security measures to protect their personal data.
Most individuals do not require antivirus apps on their smartphones, as the primary threats are scams rather than traditional viruses. iPhones use app isolation, making conventional antivirus scans ineffective; threats include phishing texts and fraudulent websites. Android phones allow sideloading, increasing the risk of malware from unofficial sources. The main dangers are deceptive tactics like phishing, scam calls, and social engineering. To enhance security, users should keep their operating systems updated, use strong passwords, enable two-factor authentication, avoid suspicious links, and refrain from installing apps from unknown sources. Antivirus apps may be beneficial for users who frequently click unverified links, download files from unfamiliar sites, or engage in Android sideloading. Reputable security apps focus on scam detection and account safety rather than traditional virus scanning.
Most smartphone users do not require antivirus applications, as the primary threats are scams rather than traditional viruses. iPhones have a secure operating system that limits antivirus functionality, focusing on scams like deceptive texts and phishing links. Android devices allow sideloading, increasing the risk of malware from unofficial sources. Best practices for smartphone safety include downloading apps from official stores, using trusted developers, avoiding dubious links, keeping the operating system updated, using strong passwords, enabling two-factor authentication, and refraining from installing apps from unknown sources. Antivirus apps may be beneficial for users who frequently click on links, download files from unfamiliar websites, install many applications, engage in Android sideloading, or seek additional protection against scams. Reputable security apps prioritize scam detection and unsafe website identification over traditional virus scanning.
Zimperium identified a sophisticated malware campaign that exploited nearly 250 Android applications, posing as popular games and social media platforms. The malware ensnared users into premium subscription services without consent, using techniques like JavaScript injection and interception of one-time passwords. The campaign primarily targeted users in Malaysia, Romania, Thailand, and Croatia, with the malware capable of reading SIM cards and activating for specific mobile carriers. Zimperium first detected the scam in March 2025 and monitored it until at least January 2026. Google stated that none of the compromised applications were available on its app store and emphasized that Android users are protected by Google Play Protect. The hackers deployed three malware variants, with the first using an automated subscription engine, the second targeting users in Thailand with premium SMS messages, and the third combining SMS fraud with real-time notifications to attackers via Telegram. The campaign primarily affected Malaysian SIM card users, with significant activity also in Thailand and Romania. Despite the campaign's last known activity in January, parts of its infrastructure remain operational. The attacks highlight vulnerabilities in application security and the challenges of policing app downloads from third-party marketplaces.
Two Windows zero-day vulnerabilities, YellowKey and GreenPlasma, have been identified. YellowKey targets the Windows Recovery Environment (WinRE) on Windows 11 and Windows Server 2025, allowing attackers with physical access to bypass BitLocker protections using a USB device. GreenPlasma affects Windows 10, Windows 11, and Windows Server environments with active Collaborative Translation Framework Monitor (CTFMON) sessions, enabling local privilege escalation from a standard user account to SYSTEM-level privileges. Both vulnerabilities require either physical or local access to exploit. Microsoft has not yet released patches for these vulnerabilities, prompting organizations to enhance their security measures and operational resilience. Recommendations include reassessing physical security, limiting local administrative access, and implementing multifactor authentication and robust credential management practices.
Microsoft has identified two significant vulnerabilities in Windows Defender, specifically related to the Malware Protection Engine, which could allow denial-of-service attacks. These vulnerabilities could destabilize the security mechanism of Windows. Microsoft has released patches in versions 1.1.26040.8 and 4.18.26040.7 of the Malware Protection Engine to address these issues. Users with automatic updates enabled will receive these patches without further action, but it is recommended that users manually check for updates in the Windows Security settings. There is currently no evidence that these vulnerabilities have been exploited in real-world scenarios.
BitLocker, a security feature for data protection, has a vulnerability identified as CVE-2026-45585, also known as YellowKey, which allows unauthorized access to encrypted data on Windows 11 versions 24H2, 25H2, 26H1, and Windows Server 2025. This flaw does not compromise BitLocker’s encryption but affects the recovery environment supporting it. The vulnerability can be exploited locally through the Windows Recovery Environment (WinRE) by an attacker with physical access, who can trigger an unrestricted shell and access the BitLocker-protected volume.
Microsoft has provided two mitigation strategies: modifying the WinRE image to remove the autofstx.exe entry and transitioning from TPM-only protection to a TPM+PIN requirement at startup. The exploit poses challenges for detection, as it occurs pre-boot and currently lacks vendor-published indicators of compromise. Organizations using BitLocker for unattended devices are particularly at risk, as the vulnerability can lead to loss of confidentiality if an attacker gains access before the legitimate user.
Drupal has issued critical security updates for a vulnerability in Drupal Core, identified as CVE-2026-9082, which affects sites using PostgreSQL databases. This flaw allows anonymous attackers to exploit the system through arbitrary SQL injection, posing risks such as sensitive information disclosure, privilege escalation, and remote code execution. The vulnerability is rated 20 out of 25 by Drupal and 6.5 out of 10 by CVE.org. It specifically impacts the database abstraction API, which fails to properly sanitize queries. The fixed versions include 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10, with best-effort patches available for unsupported versions 9.5 and 8.9. Organizations are advised to inventory their Drupal installations, verify PostgreSQL usage, and prioritize patching for public-facing sites.
Microsoft's Digital Crimes Unit has filed a lawsuit against Fox Tempest, a criminal enterprise selling fraudulently signed malware to ransomware groups, affecting hospitals, schools, and critical infrastructure in ten countries. The lawsuit was filed on May 19 in the U.S. District Court for the Southern District of New York. Fox Tempest created a portal at signspace[.]cloud, offering a user-friendly interface for uploading malicious files and generating over 580 fraudulent Microsoft accounts to bypass identity verification. The group provided pre-configured virtual machines for customers to upload malicious payloads in exchange for signed binaries.
Fox Tempest's operations were linked to a ransomware attack chain involving a counterfeit Microsoft Teams installer that deployed the Rhysida ransomware. This ransomware strain has caused significant breaches, including an October 2023 attack on the British Library, which resulted in a data exfiltration of about 600GB and recovery costs of £6 to £7 million, and a September 2024 attack on Seattle-Tacoma International Airport with a ransom demand of .8 million.
Microsoft's civil litigation approach allowed for a quicker legal process, leading to the seizure of the signspace[.]cloud domain and the suspension of around 1,000 Fox Tempest accounts. Despite these actions, Fox Tempest has begun shifting to alternative code-signing services, highlighting the evolving nature of cybercrime and the need for users to verify software through independent channels. The confirmed targets of Fox Tempest included organizations in the United States, France, India, China, Brazil, Germany, Japan, the United Kingdom, Italy, and Spain.
