data theft Archives

AppWizard

July 8, 2025

Google could soon protect your Android device from dangerous PWAs and WebAPKs (APK teardown)

Google is planning to enhance its Play Protect service by potentially adding scanning capabilities for Progressive Web Apps (PWAs) and WebAPKs during installation to improve user security against malicious threats. Recent code discoveries indicate that Google intends to enable verification for PWAs, as suggested by a code snippet found in the Google Play Store version 46.9.20-31. PWAs can be installed on devices through an "Add to Home screen" option, and when done via Chrome on Android, they receive a WebAPK, which integrates them more deeply into the Android ecosystem. Code snippets hinting at WebAPK scanning have also been uncovered, indicating a response to reports of malicious use of PWAs and WebAPKs for phishing schemes. However, the implementation of these scanning features has not been officially announced, and their availability remains uncertain.

AppWizard

July 7, 2025

Qwizzserial Android Malware Masquerades as Legit Apps to Steal Banking Data and Intercept 2FA SMS

A new Android malware family named Qwizzserial has emerged, primarily affecting users in Uzbekistan. Identified by Group-IB in March 2024, it functions as an SMS stealer that intercepts two-factor authentication codes and banking information. The malware disguises itself as legitimate applications and spreads through deceptive messages on Telegram, leading to approximately 100,000 infections from around 1,200 samples. Qwizzserial employs social engineering tactics, such as enticing file names and fake Telegram channels, to lure victims. Once installed, it requests permissions for phone calls and SMS access to exfiltrate sensitive data using Telegram bots. Advanced variants utilize obfuscation tools and may request users to disable battery optimization. The financial impact is significant, with one group reportedly generating around 0,000 between mid-March and mid-June 2025. The malware targets banking notifications and large transactions, exploiting the local banking sector's reliance on SMS authentication. Group-IB has developed detection methods to combat this threat.

AppWizard

July 5, 2025

Call of Duty: WW2 Players Say the Game Is “Not Safe” After Coming to Xbox Game Pass

Call of Duty: WW2 has been added to Xbox Game Pass, but PC players are cautioned against playing it due to significant risks, including a decline in player engagement and the presence of hackers. Older titles, like WW2, are particularly vulnerable as Activision offers limited support, making them targets for malicious actors. Reports indicate that hackers are exploiting vulnerabilities, such as remote code execution (RCE) exploits, which can lead to unauthorized control over players' machines. Incidents have been reported where players experienced unexpected shutdowns and intrusive pop-ups, including inappropriate content. While no confirmed cases of data theft have emerged, the potential for malware remains a concern. Players are advised to avoid online matches in Call of Duty: WW2 on PC until an official resolution is provided.

AppWizard

July 3, 2025

Qwizzserial Android Malware as Legitimate Apps Steals Banking Data & Intercepts 2FA SMS

A sophisticated Android malware campaign named Qwizzserial has emerged as a significant threat to banking security in Central Asia, particularly affecting users in Uzbekistan. Initially identified in mid-2024, it disguises itself as legitimate applications to deceive users into installation. Analysts from Group-IB uncovered it, noting its distribution network resembles the Classiscam fraud infrastructure. The campaign has reportedly infected around 100,000 users, resulting in financial losses exceeding ,000 within three months. The primary distribution channel is Telegram, where cybercriminals pose as government entities. Qwizzserial requests critical permissions upon installation and collects personal and financial information, systematically harvesting existing SMS messages. Recent iterations have incorporated obfuscation techniques and enhanced persistence mechanisms.

AppWizard

June 20, 2025

GodFather Android Malware Uses On-Device Virtualization to Hijack Legitimate Banking Apps

Zimperium zLabs has identified a new version of the GodFather Android banking malware that uses on-device virtualization to infiltrate legitimate banking and cryptocurrency applications. This malware creates an isolated virtual environment on the victim's device, allowing attackers to observe and manipulate user interactions in real time. It employs a malicious host application with a virtualization framework that downloads and executes a copy of the targeted app, capturing credentials and sensitive information. GodFather targets nearly 500 applications globally, particularly focusing on Turkish financial institutions. It utilizes evasive tactics, including ZIP manipulation and obfuscation, to evade detection and installs its payload through a session-based dropper technique. The malware retains traditional overlay attacks and has extensive remote control capabilities, posing a significant threat to mobile security and user trust.

AppWizard

June 20, 2025

Godfather Android malware takes over banking apps

A new version of the Android malware Godfather creates isolated virtual environments on mobile devices to steal account details and transactions from banking apps. It targets over 500 banking, cryptocurrency, and e-commerce applications globally, utilizing a fully virtual file system, virtual process IDs, intent spoofing, and a component called StubActivity. Godfather manifests as an APK app with a virtualization framework, scanning for targeted applications and encapsulating them within its virtual environment. It intercepts permissions for accessibility services, redirecting them to a StubActivity that launches the virtual version of the banking app, allowing it to capture sensitive information. The malware can record account details, passwords, and PIN codes using Xposed for API hooking. It employs a fake lock screen overlay to trick users into entering their credentials and can manipulate user interfaces and execute transactions within the legitimate banking app. Godfather first emerged in March 2021 and has evolved significantly since then, with the latest iteration demonstrating advancements from previous versions.

AppWizard

June 19, 2025

Godfather Android malware now uses virtualization to hijack banking apps

A new iteration of the Android malware "Godfather" has emerged, utilizing advanced techniques to create isolated virtual environments on mobile devices for stealthy account data theft and transaction manipulation from legitimate banking applications. It targets over 500 banking, cryptocurrency, and e-commerce applications globally, employing a comprehensive virtual filesystem, virtual Process ID, intent spoofing, and a component called StubActivity. Godfather is delivered as an APK app with an embedded virtualization framework, scanning for installed target applications and launching them within its virtual environment. It intercepts user interactions with genuine banking apps, capturing sensitive data like credentials and PINs while presenting a legitimate interface. The malware can execute commands to unlock devices and initiate transactions while avoiding detection. Godfather first appeared in March 2021 and has evolved significantly since then, with the latest version representing a notable advancement over previous iterations. Users are advised to download apps only from trusted sources and remain cautious about app permissions to protect against this malware.

AppWizard

June 19, 2025

Minecraft cheat tools may actually contain malware

Trojanized cheat tools for Minecraft hosted on GitHub have been found to install malware that extracts sensitive information from players. Check Point Research identified around 500 GitHub repositories involved, potentially compromising about 1,500 devices. This operation, active since March, is linked to Russian-speaking malware developers from the Stargazers Ghost Network. The malware, disguised as cheat tools like Oringo and Taunahi, initiates a multi-stage attack requiring Minecraft to be pre-installed. It first installs a malicious JAR mod that evades detection, then proceeds to steal Minecraft tokens, Microsoft account information, and data from platforms like Discord and Telegram. The final component captures credentials from web browsers, cryptocurrency wallets, VPN applications, and gaming platforms, sending the stolen data to a Discord webhook.

AppWizard

June 7, 2025

ISKP Magazine Questions Encryption Claims Of Messaging App, Cautions

The latest edition of "Voice of Khurasan" critiques Gem Space, a new social media platform attracting Islamic State Khorasan Province (ISKP) members, highlighting security vulnerabilities. The article warns against migrating from Telegram to Gem Space due to concerns over the platform's closed-source nature, unspecified encryption protocols, lack of end-to-end encryption confirmation, unclear ownership, and absence of transparency reports. It suggests that claims of 40+ million downloads may be exaggerated, pointing to a lack of independent validation of the platform's security. The article emphasizes the importance of informed decision-making regarding digital security.

AppWizard

May 27, 2025

Google Play’s latest security change may break many Android apps for some power users

Google's Play Integrity API has been updated as of May 2025 to include stricter security measures that verify app integrity on Android devices. The updated API aims to prevent abuse and protect sensitive information but excludes most custom ROMs, making it challenging for users who root their devices. This change means that many applications, particularly in banking, gaming, and medical services, may become inaccessible to rooted users. The new integrity verdicts—“basic,” “device,” and “strong”—now incorporate hardware-backed security signals, with the “strong” verdict requiring recent security patches. Developers will automatically transition to these stronger verdicts, enhancing security without additional effort. As a result, power users may be locked out of essential applications, and workarounds to bypass these restrictions are becoming less effective.