browser applications Archives

AppWizard

October 14, 2025

New Pixnapping Android Flaw Lets Rogue Apps Steal 2FA Codes Without Permissions

Recent findings reveal a vulnerability in Android devices from Google and Samsung that allows a sophisticated side-channel attack known as Pixnapping, enabling malicious actors to extract sensitive information such as two-factor authentication (2FA) codes and Google Maps timelines without user awareness. Pixnapping is a pixel-stealing framework that targets Android devices, circumventing browser protections and accessing data from non-browser applications like Google Authenticator. The attack exploits Android APIs and a hardware side-channel, allowing a malicious app to capture 2FA codes quickly. The study focused on devices running Android versions 13 to 16, with uncertainty regarding vulnerabilities in devices from other manufacturers. The attack can be executed by any Android app without special permissions, relying on user installation of the malicious app. It combines a previously disclosed vulnerability (GPU.zip) with Android's window blur API to leak rendering data. The attack manipulates the rendering pipeline to steal pixels from target apps. Three critical factors contribute to Android's susceptibility: the ability to send another app's activities to the rendering pipeline via intents, induce graphical operations on another app's pixels, and measure pixel color-dependent side effects from these operations. Google is tracking this issue as CVE-2025-48561, with a CVSS score of 5.5. Patches were released in the September 2025 Android Security Bulletin, but a workaround may re-enable Pixnapping. The vulnerability also allows attackers to determine installed applications on a device, bypassing restrictions from Android 11. Google has categorized this app list bypass as "won't fix."

Tech Optimizer

August 24, 2025

New Android malware poses as antivirus from Russian intelligence agency

A new strain of Android malware, named 'Android.Backdoor.916.origin,' has emerged from Russia's Federal Security Services (FSB) and targets executives in Russian businesses. Identified by Dr. Web, this malware is a standalone entity with no ties to previous malware families. It has capabilities including monitoring conversations, streaming video from the camera, logging user input, and exfiltrating data from messaging applications. Since its detection in January 2025, it has shown multiple iterations, indicating ongoing enhancements. The malware is specifically designed for Russian enterprises, using the Russian language in its interface and employing branding efforts that impersonate the Central Bank of Russia and the FSB. The malware masquerades as an antivirus tool but lacks protective features, simulating scans that yield false positives. It requests high-risk permissions such as geo-location access, SMS and media file access, and camera and audio recording capabilities. Once installed, it can exfiltrate SMS messages, contacts, call history, geo-location data, and stored images, activate the microphone and camera, capture text input from messaging and browser applications, and execute shell commands. It can switch between 15 different hosting providers, indicating resilience and adaptability. Dr. Web has made the complete indicators of compromise related to this malware available on their GitHub repository.

AppWizard

July 23, 2025

Threat Actors Blend Click Fraud Apps and Malware to Steal Android Credentials

Security researchers at Trustwave SpiderLabs have identified a complex cluster of Android malware that combines click fraud, credential theft, and brand impersonation. This malware exploits the Android Package Kit (APK) file format to distribute malicious applications, often through phishing messages or deceptive websites. Users are tricked into installing these APKs, which are disguised as reputable brands or promotional apps. Once installed, the malware takes advantage of Android's permission model to access sensitive resources, primarily for click fraud and traffic redirection to generate illicit revenue. Some variants engage in data collection and credential harvesting, employing advanced evasion tactics to avoid detection, such as using counterfeit Chrome applications and overlay screens. A notable variant includes a spoofed Facebook app that mimics the official interface and connects to a remote command-and-control server for instructions. The malware uses encryption and encoding to secure data exchanges and employs open-source tools to bypass Android's signature verification. Evidence suggests that the operators may be Chinese-speaking, as indicated by the use of Simplified Chinese in the code and the promotion of related APK campaigns on Chinese-speaking underground forums.

Tech Optimizer

May 21, 2025

Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

Microsoft has monitored Lumma Stealer, an infostealer malware used by financially motivated threat actors. Lumma Stealer, also known as LummaC2, functions as a malware-as-a-service (MaaS) solution that extracts data from browsers and applications, including cryptocurrency wallets. The entity behind Lumma is identified as Storm-2477, which maintains the malware and its command-and-control (C2) infrastructure. Affiliates can create malware binaries and manage C2 communications through a panel provided by Storm-2477. Ransomware groups have integrated Lumma Stealer into their operations. Lumma Stealer employs various delivery techniques, including phishing emails, malvertising, drive-by downloads, Trojanized applications, and abuse of legitimate services. Specific campaigns have been identified, such as one in April 2025 that used EtherHiding and ClickFix techniques to deliver Lumma Stealer via compromised websites. Another campaign on April 7, 2025, targeted Canadian organizations with emails containing invoice lures that led to malicious downloads. The malware is developed using C++ and ASM, employing advanced obfuscation techniques to evade detection. It can extract a wide range of user data, including browser credentials, cryptocurrency wallet information, and user documents. Lumma Stealer maintains a robust C2 infrastructure with multiple hardcoded and fallback C2 servers, utilizing encryption methods to secure communications. Microsoft's Digital Crimes Unit has disrupted Lumma Stealer's infrastructure by blocking approximately 2,300 malicious domains. Recommendations to mitigate the impact of Lumma Stealer include strengthening Microsoft Defender configurations, implementing multifactor authentication, and utilizing phishing-resistant authentication methods. Microsoft Defender products can detect and block activities associated with Lumma Stealer, providing alerts and insights for incident response.

AppWizard

May 21, 2025

Android Auto is Finally Getting Video Streaming Apps and Browsers

Google has announced that video and browser applications will soon be available on Android Auto, enhancing the platform for users. Video apps will initially be accessible for devices running Android 16 in select compatible vehicles, but only when the vehicle is parked. Browser applications are still in beta and details are limited, with a promise that they are "coming soon."

AppWizard

May 21, 2025

Android Auto is getting video and browser apps for your car dashboard – and more weather apps too

Google announced new in-car app experiences for Android Auto during Google I/O 2025, including video players and browser applications, which will only be accessible when the vehicle is parked to ensure safety. These features will be compatible with Android 16 devices and select vehicles, with availability depending on hardware and dashboard systems.