data theft Archives

AppWizard

April 21, 2026

NGate Android malware uses HandyPay NFC app to steal card data

A new variant of the NGate malware targets Android users by disguising itself within a trojanized version of the HandyPay app, which is a legitimate mobile payment processing application. This malware, documented since mid-2024, siphons payment card information through the mobile device's near-field communication (NFC) chip and sends the stolen data directly to attackers, who create virtual cards for unauthorized purchases or cash withdrawals from NFC-enabled ATMs. The new variant has been injected with malicious code into the HandyPay app, which has been available on Google Play since 2021. The code includes emojis, indicating the possible use of a generative AI tool in its development. The shift from previous iterations, which used an open-source tool named NFCGate, to HandyPay is likely motivated by financial considerations and the need for evasion, as HandyPay is more affordable and requires fewer permissions. This NGate variant has been active since November 2025, primarily targeting Android devices in Brazil. It employs two main distribution methods: a counterfeit app named “Proteção Cartão” hosted on a fraudulent Google Play page and a fake lottery website that redirects users to WhatsApp to download the malicious APK. Upon installation, the app prompts users to set it as their default NFC payment application, requests their card PIN, and instructs them to tap their card on the phone for reading, transmitting all collected information to an attacker's email address. To protect against such threats, Android users are advised to avoid downloading APKs from outside Google Play, disable NFC when not in use, and use Play Protect to scan for threats.

Winsage

April 9, 2026

This fake Windows support website delivers password-stealing malware

A phishing campaign has been identified that uses a counterfeit Microsoft support website, microsoft-update[.]support, to trick users into downloading a malicious Windows update disguised as WindowsUpdate 1.0.0.msi. This file, created on April 4, 2026, appears legitimate but contains malware designed to steal sensitive information. The campaign targets French-speaking users, leveraging recent data breaches in France to create convincing scams. The malware, once executed, installs an Electron application that runs a Python interpreter, which then deploys various data theft tools. It employs two persistence mechanisms: modifying the Windows registry and creating a shortcut in the Startup folder. The malware connects to external sites for reconnaissance and data exfiltration, using domains like datawebsync-lvmv.onrender[.]com and store8.gofile[.]io. The malware's components have evaded detection by antivirus tools, with VirusTotal reporting zero detections for the main executable and its launcher. Users are advised to check their registry, remove suspicious files, change passwords, and run a full system scan if they suspect installation of the malicious update. Safe updating practices include using the built-in Windows update feature and being cautious of phishing attempts. Indicators of compromise include specific file hashes, domains associated with the phishing campaign, and file system artifacts related to the malware's installation.

AppWizard

April 1, 2026

‘NoVoice’ Android malware on Google Play infected 2.3 million devices

A new Android malware called NoVoice has been found in over 50 applications on Google Play, with more than 2.3 million downloads. The malware targets older Android versions, specifically those patched between 2016 and 2021, and attempts to gain root access by exploiting vulnerabilities. It conceals malicious components within the com.facebook.utils package and uses steganography to hide an encrypted payload within a PNG image file. NoVoice avoids infecting devices in certain regions and has checks to detect emulators and VPNs. Once activated, the malware contacts its command-and-control server to gather device information and polls it every 60 seconds for tailored exploits aimed at rooting the device. It can exploit 22 vulnerabilities, including kernel bugs, and establishes persistence by replacing key system libraries and installing recovery scripts. The malware injects code into applications, particularly targeting WhatsApp to extract sensitive data for session replication, which is then exfiltrated to the C2 server. The malicious apps containing NoVoice have been removed from Google Play, but users who installed them should consider their devices compromised. Upgrading to devices with later security patches is recommended to mitigate the threat.

AppWizard

March 20, 2026

Google eases Android app sideloading rules after

Google is implementing a policy change to allow easier installation of Android applications from sources outside its Play Store, following an antitrust settlement. This includes an "advanced flow" option that lets users bypass mandatory app verification safeguards through a structured process. The changes aim to balance user choice with protections against scams and malware risks. Previously, Google required all Android applications to be registered by verified developers to mitigate risks like malware and fraud. The new process requires users to enable developer mode, restart their devices, and undergo a waiting period of up to 24 hours before verifying their identity with biometrics or a PIN to install apps from unverified developers. Users can install these apps temporarily for up to seven days or indefinitely, with ongoing warning prompts. Additionally, Google is offering free, limited app distribution accounts for students and hobbyists to share apps without full developer verification.

AppWizard

March 19, 2026

New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data

Cybersecurity researchers have identified a new family of Android malware called Perseus, designed for device takeovers and financial fraud. It utilizes Accessibility-based remote sessions for real-time monitoring and interaction with infected devices, particularly targeting Turkey and Italy. Perseus monitors user notes to extract personal or financial information and is distributed through dropper applications via phishing websites. It expands on the codebase of previous malware like Phoenix and employs disguises as IPTV services to reduce user suspicion. Once operational, it performs overlay attacks and captures keystrokes to steal credentials from financial applications. The malware allows operators to issue commands through a command-and-control panel, enabling various malicious actions, including capturing note content and initiating remote visual streams. Perseus also conducts environment checks to evade detection and ensure it operates on legitimate devices.

Tech Optimizer

March 19, 2026

Top Antivirus Software Options for MacBook Users

Cybersecurity experts warn that MacBooks are becoming increasingly vulnerable to cyber threats, making the installation of robust antivirus software essential for protecting personal and financial data. Leading antivirus solutions for MacBooks include: - Bitdefender: Highly rated for security performance, includes a VPN, and offers protection across multiple devices. - Norton: Known for its dedicated malware research lab, offers features like phishing detection and a firewall, and ranks second-best for Mac antivirus. - Malwarebytes: User-friendly with strong malware removal capabilities, ranks second to Bitdefender, and offers a 14-day free trial. - Intego Mac Internet Security X9: Easy to use with comprehensive features including a firewall and parental controls. - ClamXAV: An open-source option that allows customization and provides multiple levels of protection at a low cost. Apple's built-in security features are less effective against sophisticated threats like ransomware, leaving users without antivirus protection at higher risk for attacks and financial losses. Cybersecurity threats targeting macOS are increasing, emphasizing the need for dedicated antivirus solutions.

AppWizard

March 12, 2026

Fake Red Alert app used in Android spyware smishing

Acronis' Threat Research Unit has discovered a targeted campaign against Android users involving a counterfeit version of Israel's Red Alert rocket warning app that distributes spyware. The malicious software is spread through SMS messages that appear to be official communications from the Home Front Command, prompting users to download an "update." The fraudulent app mimics the legitimate safety tool, maintaining its rocket alert functionality to avoid detection. Once installed, the spyware collects sensitive data such as SMS messages, contacts, location information, device accounts, and a list of installed applications. This tactic, termed "smishing," combines SMS and phishing techniques. The malware uses sophisticated methods like certificate spoofing and runtime manipulation to bypass Android's signature checks, and it consists of a loader and a secondary component that executes the real alert application while the spyware operates in the background. The spyware monitors user permissions and can harvest SMS messages, contacts, and location data, adjusting its behavior based on the user's geographical position. It sends collected data to a remote command-and-control server, with the exfiltration endpoint identified as ra-backup[.]com. Acronis suggests this campaign may be linked to the group Arid Viper (APT-C-23), known for targeting Israeli interests with trojanized Android applications. Researchers recommend users only download apps from official sources, avoid sideloading packages from SMS links, and review app permissions carefully. They advise checking for the package name com.red.alertx on devices and performing a factory reset if found, along with changing credentials for any accessed accounts.

Tech Optimizer

February 25, 2026

Effective ways to prevent the download of malicious code

Malware is malicious software designed to disrupt normal system operations, often infiltrating devices through activities like web browsing or opening documents. In 2023, SonicWall Capture Labs reported over 6 billion malware attacks, an 11% increase from the previous year. Common types of malware include viruses, worms, Trojans, spyware, adware, ransomware, fileless malware, and bots. Malware spreads through email attachments, phishing links, compromised websites, fake apps, and removable media. Its effects can include performance issues, data theft, and financial damage. Signs of malware presence include sluggish performance, unexpected crashes, and unauthorized changes. Recommended actions if malware is suspected include disconnecting the device, running a malware scan, and changing passwords. Preventative measures include using security software, practicing safe browsing, keeping software updated, and building security awareness.

AppWizard

February 22, 2026

Google Blocks Millions of Risky Android Apps: Biggest Play Store Cleanup Yet

Google blocked approximately 1.75 million dangerous or policy-violating apps from reaching users in 2025 and shut down over 80,000 developer accounts associated with fraud, malware, and repeated policy violations. Play Protect identified millions of risky apps installed from external sources, and it scans apps in real-time, even after installation. Key reasons for app rejections include malware behavior, financial fraud, misuse of permissions, and deceptive advertisements. The crackdown results in safer app downloads, reduced risk of data theft, improved privacy enforcement, and lower exposure to counterfeit applications.

Tech Optimizer

February 18, 2026

Fake Antivirus Program Threatens Android Phones and Steals Data – Jordan News | Latest News from Jordan, MENA

Cybersecurity experts have identified a malicious campaign targeting Android users through a counterfeit antivirus application called TrustBastion. This app serves as a vehicle for distributing malware that steals personal and banking information and provides attackers with remote access to infected devices. TrustBastion has been found on Hugging Face, complicating detection for users. The app masquerades as a legitimate security tool, prompting users to install a “necessary update” that contains malicious code. Once activated, the malware captures screenshots, displays fake login pages for financial services, and records sensitive information, which is sent to the hackers' servers. Attackers frequently re-upload modified versions of the app, maintaining its harmful functionality. Users are advised to download apps only from official stores, review ratings, and avoid untrusted APK files. Installing reputable antivirus solutions and activating Google Play Protect is recommended for enhanced security.