banking applications Archives

AppWizard

July 9, 2025

Dangerous Android malware targets US banking apps – 50,000 people already affected, make sure you’re not next

A PDF reader app for Android, 'Document Viewer – File Reader', has been found to contain a banking trojan called Anatsa, introduced through a patch six weeks after its release. The app, published by 'Hybrid Cars Simulator, Drift & Racing', has over 50,000 downloads and specifically targets North American banking applications. Security researchers have noted a history of similar threats, with previous trojanized apps having significant download numbers. The Anatsa trojan scans for North American banking apps and overlays a deceptive interface to steal user credentials. Google has removed the app from the Play Store and advises users to uninstall it, conduct a system scan, and reset banking credentials. Google Play Protect provides automatic protection against malicious apps.

AppWizard

July 9, 2025

Android malware Anatsa infiltrates Google Play to target US banks

The Anatsa banking trojan has reappeared on Google Play as a PDF viewer app, accumulating over 50,000 downloads. It activates upon installation, targeting North American banking applications by presenting an overlay that allows unauthorized access, keylogging, and transaction automation. Researchers from Threat Fabric discovered that the app displays a fake notification about banking system maintenance to mask its activities. Anatsa has a history of infiltrating Google Play through various trojanized applications, with previous campaigns resulting in 300,000 downloads in November 2021, 30,000 in June 2023, and 150,000 in February 2024. In May 2024, Zscaler reported two new Anatsa applications on Google Play, achieving 70,000 downloads. The specific app identified is ‘Document Viewer – File Reader,’ published by ‘Hybrid Cars Simulator, Drift & Racing,’ which maintains a “clean” appearance until it builds a user base, after which malicious code is introduced via an update. Anatsa connects to a command-and-control server to monitor targeted applications. Google has removed the malicious app, advising users to uninstall it, scan their devices, and reset banking credentials. Users are encouraged to download apps only from reputable publishers and be cautious with permissions and reviews. Google Play Protect automatically protects users from known malicious apps.

AppWizard

July 8, 2025

Qwizzserial Android Malware Poses as Legit Apps to Steal Banking Info and Bypass 2FA via SMS Interception

A newly identified Android malware family, Qwizzserial, has emerged as a significant threat in Uzbekistan, disguising itself as legitimate financial and government applications. It spreads primarily through Telegram, using deceptive channels to impersonate authorities and financial institutions, luring victims with offers of financial assistance. Upon installation, Qwizzserial requests permissions related to SMS and phone state, prompting users to input sensitive information such as phone numbers and bank card details, which it exfiltrates via the Telegram Bot API or HTTP POST requests. The malware intercepts incoming SMS messages, including one-time passwords (OTPs) for two-factor authentication, and can extract financial information from messages. Analysts from Group-IB have tracked around 100,000 infections linked to Qwizzserial, with confirmed financial losses exceeding ,000,000 within three months. The malware's infection pattern follows a Pareto distribution, with a small subset of samples causing the majority of infections, particularly those impersonating financial institutions. Security solutions have developed detection rules for Qwizzserial, and organizations are encouraged to implement user education and monitoring to mitigate risks. End-users are advised against installing applications from untrusted sources and to scrutinize app permissions. Indicators of Compromise (IOC) include specific C2 domains and file hashes for both example and latest samples of Qwizzserial.

AppWizard

July 3, 2025

Fake Apps, AI Scams Drive 151% Android Malware Spike, Smishing Grows 692%, Spyware Quadruples

Android malware has surged by 151% since the beginning of the year, with a notable 147% increase in spyware in 2025. Spyware activity peaked in February and March, reaching nearly four times the baseline. Smishing attacks via SMS increased by 692% between April and May. Banking trojans and spyware are increasingly hidden in seemingly legitimate applications, such as fake loan services. Over 30% of Android devices run outdated software lacking security patches, exposing users to vulnerabilities. Cybercriminals are developing interconnected operations that target sensitive user data. Google Play Protect is not fully effective, and users are advised to download apps only from official sources, review app permissions, deny unnecessary notification access, keep software updated, and use trusted mobile security apps.

AppWizard

June 29, 2025

Hackers Spying on Android Phones in Real Time, Targeting 500+ Bank, Crypto and Payment Apps To Steal Sensitive Data: Cybersecurity Firm

A new version of banking malware is targeting Android devices, allowing cybercriminals to capture login credentials and manipulate banking applications in real time. This malware uses an advanced virtualization technique to hijack legitimate banking apps by installing a malicious host application that creates a controlled sandbox environment for the targeted app. Users are redirected to this virtualized instance, where their actions are monitored and manipulated, enabling the interception of sensitive information. The malware targets nearly 500 financial applications globally, including major banks in North America, the UK, Canada, and Europe, as well as cryptocurrency wallets and digital payment platforms.

AppWizard

June 27, 2025

Your Android phone is getting a big security upgrade for free

Google has introduced various security features for Android users to protect against scams and malware. Key enhancements include: 1. Protection against scam calls with warnings and blocking actions related to disabling Google Play Protect, sideloading apps, and granting accessibility permissions. Screen sharing reminders will be provided on devices running Android 6 or higher. 2. In-call protections for banking apps, alerting users to potential risks when sharing screens with unknown callers, available for participating banks on devices running Android 11 or higher. 3. Improved scam detection in Google Messages, targeting various types of scams, including job scams, cryptocurrency scams, and technical support scams. 4. The Key Verifier tool for verifying contact identities through public encryption keys, ensuring private conversations. 5. Enhanced mobile theft protection with the Identity Check tool expanding to more devices running Android 16, reinforced protections against unauthorized factory resets, and hidden one-time passwords on the lock screen. 6. An Advanced Protection Program for targeted attacks, cryptographically verifying login operations on devices running Android 16. 7. Improvements to Google Play Protect, utilizing new on-device rules for malware detection and providing warnings about potentially malicious apps. 8. Ongoing commitment to enhancing overall Android security with each new version and updates to Google Play services.

AppWizard

June 24, 2025

Is your Android phone safe? ‘Godfather’ malware targets 500 Android apps

Cybersecurity firm Zimperium has reported a new variant of the Godfather malware targeting around 500 Android applications, mainly in banking, cryptocurrency, and e-commerce sectors. This version uses virtual spoofing to create deceptive replicas of the user's phone environment, misleading users and security measures. The malware installs a malicious "host" app that scans for banking applications and downloads counterfeit versions that operate in a concealed virtual space. When users access their banking apps, they interact with these fraudulent versions, which record sensitive information such as PINs, passwords, and two-factor authentication codes. It can also remotely control devices, execute money transfers, and exfiltrate confidential data. Most affected applications are based in Turkey, but the malware has the potential to spread globally.

Winsage

June 24, 2025

After about a bazillion user requests, Windows finally lets you move the audio volume pop-up

Microsoft has released Windows 11 Insider Preview Build 26120.4452, allowing users to reposition the audio volume pop-up and customize the placement of hardware indicators like brightness and volume. The update enhances the Recall feature with a personalized homepage for quick access to recent activities and frequently used applications and websites. Users can manage which applications are captured by Recall, excluding sensitive apps. The update also fixes a glitch with the startup sound and improves File Explorer functionality.

AppWizard

June 21, 2025

Godfather Android trojan uses virtualization to hijack banking and crypto apps

Zimperium zLabs has identified a new version of the GodFather Android trojan, which uses on-device virtualization to hijack legitimate banking and cryptocurrency applications. This malware creates a sandbox environment on the victim's device to run actual applications while intercepting user input in real time, allowing for complete account takeovers and bypassing security measures. The current campaign primarily targets Turkish banks. The GodFather malware employs ZIP manipulation and obfuscation techniques to evade detection, concealing its payload within the assets folder and using session-based installation methods. It utilizes accessibility services to monitor user input, automatically grant permissions, and exfiltrate data to a command-and-control (C2) server via Base64-encoded URLs. The trojan leverages open-source tools like Virtualapp and Xposed to execute overlay attacks, virtualizing applications within a host container. It scans for specific banking applications, downloads Google Play components into a concealed virtual space, and creates a deceptive environment to execute genuine banking applications. When users access their legitimate banking apps, GodFather redirects them to counterfeit versions within its virtual space, capturing their interactions. The malware employs advanced hooking techniques tailored to banking applications, intercepting network connections and capturing sensitive information. It can also compromise lock screen credentials by displaying fake overlays. GodFather supports a wide range of commands, allowing attackers to simulate gestures, manipulate screen elements, and steal sensitive data while remaining hidden from users and security tools. The malware targets over 484 popular applications, including banking, cryptocurrency, e-commerce, and social media platforms, with a current focus on a dozen Turkish financial institutions. This discovery marks a significant advancement in mobile malware capabilities compared to previous threats.

AppWizard

June 20, 2025

‘Godfather’ Malware Is Now Hijacking Banking Apps on Android

The latest version of the "Godfather" malware targets Android devices, capable of hijacking legitimate banking applications and complicating detection. Initially detected in 2021, it used screen overlay attacks to trick users into entering sensitive information. The new iteration introduces a virtualization capability, creating a virtual environment on the device that allows it to intercept and manipulate user interactions with banking apps. This malware can harvest account credentials and exert remote control over the device, enabling unauthorized transactions. Currently, it affects nearly 500 applications, primarily targeting banks in Turkey, with potential for global spread. Users are advised to download apps only from trusted sources, modify permission settings, enable Google Play Protect, keep devices updated, and audit installed applications to protect against this threat.