counterfeit Archives

AppWizard

June 25, 2025

Minecraft’s New Villains—This Hostile Mob Steals Everything

Cyber criminals are targeting Minecraft's player base, particularly the 65% of players under 21, who are often less aware of cyber threats. A recent report from Check Point reveals a sophisticated malware campaign that embeds malicious software in counterfeit Minecraft mods shared on platforms like GitHub. This malware operates in stages, starting with a Java downloader, followed by a stealer, and an advanced tool to harvest sensitive information such as passwords and cryptocurrency wallet details. The campaign is linked to Russian-speaking attackers and uses a distribution-as-a-service model to spread malicious links. Disguised as legitimate cheat tools, these files install additional malware on users' devices, capturing credentials from browsers and applications, and sending data back to attackers. To protect against these threats, it is advised to download mods only from trusted sources, be skeptical of cheat tools, keep antivirus software updated, and be cautious of offers that seem too good to be true.

AppWizard

June 24, 2025

Is your Android phone safe? ‘Godfather’ malware targets 500 Android apps

Cybersecurity firm Zimperium has reported a new variant of the Godfather malware targeting around 500 Android applications, mainly in banking, cryptocurrency, and e-commerce sectors. This version uses virtual spoofing to create deceptive replicas of the user's phone environment, misleading users and security measures. The malware installs a malicious "host" app that scans for banking applications and downloads counterfeit versions that operate in a concealed virtual space. When users access their banking apps, they interact with these fraudulent versions, which record sensitive information such as PINs, passwords, and two-factor authentication codes. It can also remotely control devices, execute money transfers, and exfiltrate confidential data. Most affected applications are based in Turkey, but the malware has the potential to spread globally.

AppWizard

June 22, 2025

Counterfeit Minecraft mods deliver malware

A series of sophisticated cyberattacks using ACR Stealer-based Amatera Stealer malware have been executed as part of ClearFake web injection campaigns between April and May. These campaigns utilize advanced techniques, including EtherHiding to obscure malicious activities, targeting smart contracts on the Binance Smart Chain for unauthorized access, and ClickFix Exploitation to manipulate user interactions for executing harmful scripts.

AppWizard

June 21, 2025

Godfather Android trojan uses virtualization to hijack banking and crypto apps

Zimperium zLabs has identified a new version of the GodFather Android trojan, which uses on-device virtualization to hijack legitimate banking and cryptocurrency applications. This malware creates a sandbox environment on the victim's device to run actual applications while intercepting user input in real time, allowing for complete account takeovers and bypassing security measures. The current campaign primarily targets Turkish banks. The GodFather malware employs ZIP manipulation and obfuscation techniques to evade detection, concealing its payload within the assets folder and using session-based installation methods. It utilizes accessibility services to monitor user input, automatically grant permissions, and exfiltrate data to a command-and-control (C2) server via Base64-encoded URLs. The trojan leverages open-source tools like Virtualapp and Xposed to execute overlay attacks, virtualizing applications within a host container. It scans for specific banking applications, downloads Google Play components into a concealed virtual space, and creates a deceptive environment to execute genuine banking applications. When users access their legitimate banking apps, GodFather redirects them to counterfeit versions within its virtual space, capturing their interactions. The malware employs advanced hooking techniques tailored to banking applications, intercepting network connections and capturing sensitive information. It can also compromise lock screen credentials by displaying fake overlays. GodFather supports a wide range of commands, allowing attackers to simulate gestures, manipulate screen elements, and steal sensitive data while remaining hidden from users and security tools. The malware targets over 484 popular applications, including banking, cryptocurrency, e-commerce, and social media platforms, with a current focus on a dozen Turkish financial institutions. This discovery marks a significant advancement in mobile malware capabilities compared to previous threats.

AppWizard

June 20, 2025

Godfather Android malware takes over banking apps

A new version of the Android malware Godfather creates isolated virtual environments on mobile devices to steal account details and transactions from banking apps. It targets over 500 banking, cryptocurrency, and e-commerce applications globally, utilizing a fully virtual file system, virtual process IDs, intent spoofing, and a component called StubActivity. Godfather manifests as an APK app with a virtualization framework, scanning for targeted applications and encapsulating them within its virtual environment. It intercepts permissions for accessibility services, redirecting them to a StubActivity that launches the virtual version of the banking app, allowing it to capture sensitive information. The malware can record account details, passwords, and PIN codes using Xposed for API hooking. It employs a fake lock screen overlay to trick users into entering their credentials and can manipulate user interfaces and execute transactions within the legitimate banking app. Godfather first emerged in March 2021 and has evolved significantly since then, with the latest iteration demonstrating advancements from previous versions.

AppWizard

June 19, 2025

GodFather Android Malware Runs Real Apps in a Sandbox to Steal Data

Cybersecurity researchers at Zimperium zLabs have discovered a new variant of the GodFather Android malware that uses on-device virtualization to hijack legitimate mobile applications, primarily targeting banking and cryptocurrency apps. This malware installs a concealed host application that downloads a genuine version of the targeted app within a controlled environment, redirecting users to this manipulated version. It monitors user actions in real time, capturing sensitive information like usernames and passwords. The GodFather malware targets 484 applications globally, with a focus on 12 financial institutions in Turkey. It employs traditional overlay attacks and uses legitimate open-source tools to evade detection. The malware manipulates APK files, relocates malicious code, and utilizes Android’s accessibility services to deceive users into granting permissions. It also encodes critical information to complicate tracking efforts and transmits screen details back to attackers for real-time monitoring.

Tech Optimizer

June 13, 2025

‘BrowserVenom’ Windows Malware Preys on Users Looking to Run DeepSeek AI

A new strain of Windows malware called "BrowserVenom" is exploiting interest in DeepSeek's AI models by targeting users through deceptive Google ads. These ads lead to a counterfeit website, "https[:]//deepseek-platform[.]com," where users are tricked into downloading a harmful file named “AILauncher1.21.exe.” This malware monitors and manipulates internet traffic, allowing attackers to intercept sensitive data. The operation is believed to involve Russian-speaking threat actors, and the malware has infected users in several countries, including Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. The fraudulent domain has been suspended, but the malware can evade many antivirus solutions. Users are advised to verify official domains when downloading software.

AppWizard

June 11, 2025

Experts warn GTA and Minecraft being used to lure in cyberattack victims – here’s how to stay safe

Cybersecurity experts have reported a significant increase in game-themed malware targeting the gaming community, especially younger players. From April 1, 2024, to March 31, 2025, there were over 19 million attempts to download malicious files disguised as popular games, affecting around 400,000 individuals globally. Grand Theft Auto V (GTA V) was the most targeted game, with nearly 4.5 million attack attempts, followed by Minecraft with 4.1 million, Call of Duty (CoD) with 2.6 million, and The Sims with 2.4 million. Cybercriminals exploit established games and lure victims with fake offers, often leading to infostealers, cryptocurrency hijackers, backdoors, and Trojans. Kaspersky advises gamers to avoid pirated content and be cautious of suspicious offers.

AppWizard

June 8, 2025

These apps tricked Google to list them in the Play Store and you must delete them from your phone

The Google Play Store has been infiltrated by deceptive applications that are part of a phishing campaign, as revealed by an investigation by Cyble. These applications mimic legitimate digital wallets, including names like SushiSwap, PancakeSwap, Hyperliquid, and Raydium, and have utilized over 50 domains to evade detection. The primary threat involves the extraction of users' mnemonic phrases, which are critical for accessing cryptocurrency and tokens. Users are advised to uninstall nine specific apps identified by Cyble: Pancake Swap, Suite Wallet, Hyperliquid, Raydium, BullX Crypto, OpenOcean Exchange, Meteora Exchange, SushiSwap, and Harvest Finance Blog, to protect their digital assets. Although many of these malicious apps have been removed from the Play Store, the risk persists for those who still have them installed.

Tech Optimizer

June 5, 2025

Fake DocuSign and Gitcode sites are tricking victims into downloading malware – here’s what you need to know

Researchers at DomainTools Investigations (DTI) have identified counterfeit websites mimicking platforms like DocuSign and Gitcode, designed to lure users into downloading malware, specifically a remote access trojan (RAT). These fraudulent sites use tactics such as fake CAPTCHA prompts to enhance credibility and prompt users to download malicious software disguised as necessary updates. The operation employs a multi-stage downloader PowerShell script, reminiscent of older scams that alarmed users with popups about virus infections. Users are advised to be cautious with unfamiliar websites and verify the authenticity of download prompts.