credential theft Archives

AppWizard

July 25, 2025

Fake Indian Banking Apps on Android Steal Login Credentials from Users

A recently discovered malicious Android application poses significant risks by masquerading as legitimate banking apps in India. It facilitates credential theft, conducts surveillance, and executes unauthorized financial transactions. The malware operates on a modular architecture with a dropper and primary payload, employing deceptive user interfaces and silent installation techniques to evade detection. The dropper requests extensive permissions, including ACCESSNETWORKSTATE, REQUESTINSTALLPACKAGES, and QUERYALLPACKAGES, to monitor connectivity, install secondary APKs without user awareness, and profile installed apps. It loads a hidden payload and initiates installation using an INSTALL_NOW flag, bypassing app store scrutiny. The main payload requests additional permissions such as READSMS, SENDSMS, and RECEIVESMS for intercepting one-time passwords (OTPs) and two-factor authentication (2FA) codes. It also requests REQUESTIGNOREBATTERYOPTIMIZATIONS, READPHONESTATE, and READPHONENUMBERS for uninterrupted execution, device fingerprinting, and potential call forwarding abuse. Data exfiltration occurs through Firebase Realtime Database, storing user IDs and intercepted SMS metadata. The malware uses Firebase for command-and-control operations and generates phishing pages resembling authentic banking interfaces. Delivery methods include smishing, email phishing, WhatsApp bots, vishing calls, SEO-poisoned websites, malvertising, Trojanized utilities, QR/NFC attacks, preloaded malware on counterfeit devices, and exploitation of accessibility service vulnerabilities. Indicators of compromise include specific SHA256 hashes for the base payload and main payload.

AppWizard

July 23, 2025

Threat Actors Blend Click Fraud Apps and Malware to Steal Android Credentials

Security researchers at Trustwave SpiderLabs have identified a complex cluster of Android malware that combines click fraud, credential theft, and brand impersonation. This malware exploits the Android Package Kit (APK) file format to distribute malicious applications, often through phishing messages or deceptive websites. Users are tricked into installing these APKs, which are disguised as reputable brands or promotional apps. Once installed, the malware takes advantage of Android's permission model to access sensitive resources, primarily for click fraud and traffic redirection to generate illicit revenue. Some variants engage in data collection and credential harvesting, employing advanced evasion tactics to avoid detection, such as using counterfeit Chrome applications and overlay screens. A notable variant includes a spoofed Facebook app that mimics the official interface and connects to a remote command-and-control server for instructions. The malware uses encryption and encoding to secure data exchanges and employs open-source tools to bypass Android's signature verification. Evidence suggests that the operators may be Chinese-speaking, as indicated by the use of Simplified Chinese in the code and the promotion of related APK campaigns on Chinese-speaking underground forums.

AppWizard

July 22, 2025

Threat Actors Combine Android Malware With Click Fraud Apps to Steal Login Credentials

A new wave of malicious Android Package Kit (APK) files is combining click-fraud advertising and credential theft, primarily affecting regions like Southeast Asia, Latin America, and parts of Europe. These APKs disguise themselves as casual games or clones of legitimate apps, enticing users to sideload them and bypass Google Play’s security measures. Once installed, they request excessive permissions and operate in the foreground to inflate ad impressions while capturing user credentials through convincing login forms. The malware uses a modular configuration system and communicates with an encrypted command-and-control backend. The installation process often begins with social media messages or QR codes leading to spoofed landing pages. The app can embed secondary payloads without invalidating its original signature and minimizes detection by sandboxes. By the time users notice unusual activity, the malware has already exfiltrated ad revenue and credentials.

AppWizard

July 22, 2025

Cybercriminals Merge Android Malware with Click Fraud Apps to Harvest Credentials

Researchers have identified a sophisticated cluster of Android malware that merges brand impersonation with traffic monetization strategies, utilizing Android Package Kit (APK) files to compromise user trust and extract sensitive information. The malware disguises itself as legitimate services and uses social engineering techniques to encourage manual installations. Once installed, it exploits Android's permission model to access device resources and hijack network traffic for advertising fraud. The malware includes various categories such as ad fraud apps, credential stealers, background data harvesters, task reward apps, and gambling apps, each designed to manipulate user interactions and collect sensitive data. Common strategies include redirecting traffic through monetized domains and employing encrypted command-and-control communications. A notable variant is a spoofed Facebook APK that requests extensive permissions and retrieves encrypted configuration files from specific domains. The malware's infrastructure allows it to circumvent Android signature verification and adapt its behavior based on the environment, evading detection. Analysis suggests involvement from Chinese-speaking operators, with connections to underground economies trading stolen data. The campaign combines ad fraud and credential theft, highlighting a dual purpose of monetization and intelligence gathering. Users are advised to limit installations to trusted sources and scrutinize unsolicited APKs to mitigate threats.

Winsage

July 17, 2025

Windows Server 2025 Golden dMSA Attack Enables Authentication Bypass and Password Generation

A design flaw in Microsoft’s Windows Server 2025, known as “Golden dMSA,” allows attackers to bypass authentication and generate passwords for all managed service accounts across enterprise networks. This vulnerability exploits a weakness in delegated Managed Service Accounts (dMSAs), reducing cryptographic protections to a brute-force attack requiring only 1,024 attempts. Discovered by Semperis Security Researcher Adi Malyanker, the attack involves extracting cryptographic material from the Key Distribution Services (KDS) root key, enumerating dMSA accounts, guessing ManagedPasswordId attributes, and generating passwords. The KDS root keys do not expire, potentially granting indefinite access. The vulnerability is classified as moderate risk, requiring possession of a KDS root key, accessible only to privileged accounts. Detection of the attack is challenging, as no security events are logged by default when KDS root keys are compromised. Microsoft acknowledged the vulnerability on May 27, 2025, and stated that the features were not intended to protect against domain controller compromises.

Winsage

July 8, 2025

Silverfort uncovers critical Netlogon flaw affecting Windows domain controllers

A vulnerability identified as “NOTLogon” (CVE-2025-47978) has been discovered in Microsoft Corp.'s Netlogon protocol, allowing low-privilege machines to remotely crash Windows domain controllers, disrupting Active Directory services. This flaw arises from issues in the Network Ticket Logon feature introduced in late 2024, specifically in the NetrLogonSamLogonEx RPC call processing malformed inputs in the AdditionalTicket buffer. An empty or improperly formatted ticket can crash the domain controller’s LSASS process, leading to a system reboot. The vulnerability does not grant elevated privileges or allow credential theft but can cause denial-of-service attacks that halt user logins and restrict access to enterprise systems. The discovery utilized AI-assisted techniques to analyze differences in Netlogon specifications. Organizations are advised to apply the July 2025 security update, audit machine account usage, restrict machine account creation, and segment network access to protect domain controllers.

AppWizard

July 3, 2025

YONO SBI App Vulnerability Enables Man-in-the-Middle Attacks

A security vulnerability (CVE-2025-45080) has been identified in version 1.23.36 of the YONO SBI: Banking & Lifestyle mobile application, which allows unencrypted communications due to the android:usesCleartextTraffic="true" setting in its AndroidManifest.xml file. This misconfiguration exposes sensitive banking information to risks such as eavesdropping, tampering, and man-in-the-middle (MITM) attacks. Security experts recommend setting android:usesCleartextTraffic="false" and enforcing HTTPS for secure communications. Users are advised to avoid using the affected version until a security update is released. The vulnerability was disclosed by security researcher Ishwar Kumar.

Tech Optimizer

June 27, 2025

ClickFix fake error message malware spikes over 500%, takes second place as the most abused attack vector

The ClickFix attack vector has increased by 517% since the latter half of 2024, becoming the second most exploited method for cyberattacks, following phishing. Hackers are using ClickFix to deploy various infostealing malware, including Lumma Stealer, VidarStealer, StealC, and Danabot. The ClickFix mechanism involves a counterfeit reCAPTCHA that misleads users into executing harmful Powershell commands. This method is primarily spread through phishing emails directing users to fraudulent websites. ESET’s Threat Report indicates that SnakeStealer has surpassed Agent Tesla as the most frequently detected infostealer, targeting businesses in the US and EU for credential theft. The ransomware landscape has been disrupted by internal conflicts among groups, with DragonForce launching defacement campaigns against other ransomware entities. On mobile devices, Kaleidoscope infections have caused a 160% increase in Android adware detections, and the SparkKitty malware has been found in both the Apple App Store and Google Play Store. Kaleidoscope generates revenue through intrusive ads while infecting devices with a malicious app from third-party stores.

AppWizard

June 22, 2025

Your favorite apps might betray you, thanks to a new Android trick that fools even smart users

A significant security vulnerability has been discovered in Android's notification system, allowing malicious actors to exploit invisible Unicode characters to open deceptive links without user awareness. Research indicates that this flaw enables attackers to redirect users from seemingly legitimate links, such as "amazon.com," to malicious sites like "zon.com" through the use of zero-width space characters. Major applications including WhatsApp, Telegram, Instagram, Discord, and Slack have been confirmed as vulnerable to this exploit. Attackers can also use this vulnerability to initiate deep links that perform actions like making calls or sending messages without user consent. Traditional antivirus solutions may not detect these threats, as they do not involve conventional malware, highlighting the need for endpoint protection tools that focus on behavioral anomalies. Users are advised to be cautious with notifications and links from unfamiliar sources.

Winsage

June 20, 2025

Microsoft testing physical-to-cloud PC failover

Microsoft has introduced a preview of "Windows 365 Reserve," which offers pre-configured cloud PCs for users when their primary devices are unavailable. The service includes essential Microsoft 365 applications, user-specific security policies, and customizations. Users can access a Cloud PC for up to 10 days per year, with the option to use the time all at once or in shorter sessions. Key features include data synchronization via OneDrive, pre-loaded corporate applications, and management through Microsoft Intune. Enhanced security measures involve disabling certain redirections and implementing virtualization-based security. Additionally, Microsoft is conducting a private preview of Windows 365 Cloud Apps for secure access to individual applications without needing a dedicated Cloud PC. Improvements to Windows 365 Link include a new "Connection Center" for selecting multiple Cloud PCs, enhanced multi-monitor support, and NFC card login capabilities.