deceptive applications Archives

AppWizard

May 26, 2026

Is your phone bill higher? 200+ Android apps might secretly be stealing money from you

A new type of malware has emerged that targets smartphone users by inflating phone bills through unauthorized carrier subscriptions. Discovered by cybersecurity firm Zimperium, this operation involves nearly 250 counterfeit Android applications that impersonate popular apps like TikTok and Instagram. Once downloaded, the malware uses advanced techniques such as JavaScript injection and SIM card access to enroll users in fictitious premium services without their knowledge. The scam has primarily affected users in Malaysia, Romania, Thailand, and Croatia, with Malaysia accounting for 85% of the victims. Google has confirmed that these malicious apps are not available on the Play Store and that users are protected by Google Play Protect. Despite a peak in activity in September 2025, parts of the scam's infrastructure remain operational, with the last recorded activity in January 2026. Users are advised to practice online security measures to protect their personal data.

AppWizard

May 9, 2026

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

Cybersecurity researchers from ESET have discovered 28 fraudulent applications on the Google Play Store that falsely claimed to provide access to call histories for any phone number. These apps have been downloaded over 7.3 million times, with one app alone accounting for over 3 million downloads. The operation, named CallPhantom, primarily targeted Android users in India and the Asia-Pacific region. Users were lured into subscription services, paying for access to fictitious data, including call histories and SMS records, but received only randomly generated information. Some apps were published under the developer name "Indian gov.in" to create a false sense of trust. Payments were processed through the Google Play Store or third-party applications like Google Pay and Paytm. Users who subscribed via Google Play may be eligible for refunds, while those who used third-party payment methods may not be able to recover their funds. The fraudulent activity may have been ongoing since at least November 2025.

AppWizard

May 8, 2026

Fake call logs, real payments: How CallPhantom tricks Android users

A series of fraudulent applications known as CallPhantom have been identified on the Google Play Store, claiming to provide access to call logs, SMS records, and WhatsApp call history for a fee. A total of 28 CallPhantom apps were reported, with over 7.3 million downloads. These apps falsely generated random phone numbers and fabricated data, misleading users into paying for nonexistent services. The apps primarily targeted Android users in India, utilizing UPI for payments and often sidestepping Google Play's official billing system. Users expressed frustration in negative reviews after being scammed. The investigation revealed two clusters of deceptive applications: one that presented hardcoded data and another that promised to send call histories via email after payment. Refunds may be possible for subscriptions made through Google Play, but users who paid outside the platform must contact their payment provider or the app developer for resolution.

AppWizard

November 4, 2025

VajraSpy Malware Lurks in 12 Android Chat Apps via Romance Scams

Security researchers from ESET have identified malicious apps targeting Android users that masquerade as legitimate messaging tools, capable of recording conversations, stealing text messages, and tracking locations. Known as VajraSpy, this malware can capture audio, take screenshots, and exfiltrate contacts and call logs, transmitting sensitive information to cybercriminal-controlled servers. The campaign primarily targets users in Pakistan and India, but the apps are globally distributed. These deceptive applications often appear on platforms like the Google Play Store and are removed after detection. Attackers use emotional manipulation to convince users to download the compromised app, which can intercept two-factor authentication codes, leading to account takeovers. Businesses face risks of exposing corporate secrets through infected devices. Recent incidents show similar spyware infiltrations, with some apps recording over 1,400 downloads before removal. Experts recommend using verified app sources, enabling multi-factor authentication, and reviewing app permissions to mitigate risks. Users should uninstall suspicious apps, change passwords, and monitor accounts for unusual activity if affected. The spyware's ability to record conversations without consent violates privacy norms and could lead to legal consequences for those responsible. The industry is urged to advocate for stricter regulations on app marketplaces and improve international cooperation to dismantle cyber networks.

AppWizard

November 4, 2025

Hackers Hit Android Users, Drain Bank Accounts Remotely Through 760 Apps: Report

Cybersecurity experts have identified over 760 malicious applications that exploit Near Field Communication (NFC) technology to target Android devices, compromising sensitive user data and financial information. These apps often disguise themselves as legitimate banking and government services, convincing users to set them as default NFC payment methods. Once installed, they can intercept critical information such as login credentials and card details, which is then transmitted to hackers via Telegram channels. The campaign, which began in April 2024, affects users in countries including Russia, Poland, the Czech Republic, Slovakia, and Brazil, impersonating banks like Santander and VTB. Stolen data is sent to over 70 command-and-control servers managed by automated Telegram bots.

AppWizard

November 3, 2025

Android Apps misusing NFC and HCE to steal payment data on the rise

Researchers from Zimperium zLabs have identified over 760 Android applications exploiting Near-Field Communication (NFC) and Host Card Emulation (HCE) technologies to illegally acquire payment data. Since April 2024, there has been a significant increase in NFC relay fraud, affecting banks, payment services, and government portals globally, including Russian banks and various European financial institutions. The malware operates as paired “scanner/tapper” toolchains or standalone data collectors, exfiltrating sensitive EMV data and transmitting it to Telegram channels. Operators control these applications via command-and-control (C2) servers, allowing for fraudulent transactions with minimal user involvement. More than 70 C2 servers and numerous Telegram bots have targeted over 20 institutions worldwide, primarily focusing on Russian banks. The rise of “Tap-to-Pay” transactions has made NFC a target for cybercriminals, with harmful applications exploiting Android’s NFC permissions to steal payment data. Zimperium has provided Indicators of Compromise (IOCs) related to this campaign for safeguarding systems.

AppWizard

August 29, 2025

Google to make developer verification mandatory on Android

Google will implement mandatory identity verification for all Android app developers, starting in September 2026 in Brazil, Indonesia, Singapore, and Thailand, with early access for registrations beginning this October. This initiative aims to combat the rising threat of malicious applications targeting users' financial data. The requirement will apply to all developers, including those not publishing on the Play Store, to enhance accountability and reduce the distribution of harmful apps. Google is also developing a new Android developer console for those distributing apps outside of the Play Store and has introduced data privacy labels to inform users about data collection practices.

AppWizard

August 26, 2025

77 Malicious Android Apps With 19M Installs Targeted 831 Banks Worldwide

Zscaler’s ThreatLabz team identified 77 malicious applications on the Google Play Store with over 19 million installations, which target financial institutions and compromise user data. A new variant of the Anatsa banking trojan, also known as TeaBot, now targets over 831 banks globally, up from 650, and has expanded its reach to countries like Germany and South Korea. Many of these apps disguise themselves as document readers, with some exceeding 50,000 downloads. The malware downloads the Anatsa payload after installation and uses Android’s Accessibility Services to automate malicious activities, including stealing financial information and facilitating fraudulent transactions. The malware employs techniques to evade detection, such as obfuscating its code and using corrupted ZIP archives. The most prevalent Android malware identified was Joker, found in nearly 25% of the analyzed applications, known for stealing contacts and device data. A smaller subset of apps contained “maskware,” which engages in credential theft and personal data collection.

AppWizard

August 26, 2025

Google Will Block Sideloading Unverified Android Apps Next Year If Devs Fail to Comply

Google will ban the sideloading of unverified apps on Android starting next year, requiring developers outside the Play Store to undergo a verification process before their apps can be installed. Apps sourced from the internet for sideloading contain over 50 times more malware than those on the Play Store. The verification process aims to combat fraudulent developers who create deceptive applications. This measure does not ban sideloading outright but targets anonymous developers. Google has previously implemented various security measures, including Play Protect, to enhance app safety. A similar sideloading ban was already enforced in India.

AppWizard

July 30, 2025

Google Urges Android Users to Quickly Delete These Apps from Their Phones!

A recent alert has been issued for Android smartphone users about malicious applications found on the Google Play Store that pose significant risks to user security and personal data. Cybersecurity firm Cyble has identified over twenty deceptive apps, many mimicking well-known wallet and cryptocurrency applications, which redirect users to phishing sites that collect sensitive information, including banking and cryptocurrency credentials. Users are advised to uninstall specific harmful apps such as Pancake Swap, Suiet Wallet, Hyperliquid, Raydium, BullX Crypto, OpenOcean Exchange, Meteora Exchange, SushiSwap, and Harvest Finance Blog. Google recommends using the “Play Protect” feature to scan downloaded apps for safety.