deceptive nature Archives

AppWizard

January 21, 2026

Some apps generating fake ad views, slowing down phones, new study says

Researchers from Check Point have identified 15 mobile applications on Google Play that generate fraudulent ad views, leading to battery drain and potential access to personal information. These apps, disguised as utility tools like emoji makers and QR code scanners, have millions of downloads, particularly in Asia. Google has removed these harmful apps, and Google Play Protect disables any harmful applications automatically. Users are advised to monitor battery usage, review app permissions, and be cautious of persistent notifications from apps. It is recommended to delete suspicious applications and download apps from official sources.

AppWizard

December 25, 2025

Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale

Threat actors in Uzbekistan are increasingly using sophisticated tactics to target mobile users, specifically through malicious dropper applications that appear as legitimate software. A recent analysis by Group-IB identified an Android SMS stealer called Wonderland, which was previously known as WretchedCat. Unlike traditional Trojan APKs that activate malware immediately upon installation, Wonderland utilizes droppers that activate malicious payloads locally after installation, even without an internet connection. Wonderland enables bidirectional command-and-control communication, allowing real-time execution of commands, including SMS theft and USSD requests. It disguises itself as Google Play or various file formats to evade detection. The financially motivated group behind this malware, TrickyWonders, uses Telegram for coordination and was first detected in November 2023. Wonderland is associated with two dropper families: MidnightDat and RoundRift. Propagation methods for Wonderland include counterfeit Google Play Store pages, Facebook ads, and fake accounts on dating apps. Attackers exploit stolen Telegram sessions from Uzbek users to distribute APK files. Once installed, Wonderland can access SMS messages, intercept one-time passwords, and siphon funds from victims' bank accounts. It can also retrieve phone numbers, exfiltrate contact lists, suppress security alerts, and send SMS messages from compromised devices. Users must enable installations from unknown sources to sideload the app, often misled by a fake update screen. If granted permissions, attackers can hijack the phone number and log into the associated Telegram account, perpetuating the malware's spread. Wonderland represents a significant evolution in mobile malware in Uzbekistan, moving from basic malware like Ajina.Banker to more sophisticated variants like Qwizzserial. The use of dropper applications enhances its deceptive nature, allowing it to evade security checks. Both the dropper and SMS stealer components are heavily obfuscated, complicating reverse engineering. The supporting infrastructure for Wonderland is dynamic, with rapidly changing domains complicating monitoring efforts. Malicious APKs are generated through a Telegram bot and distributed by a network of threat actors. New strains of malware, such as Cellik, Frogblight, and NexusRoute, have also emerged, each capable of harvesting sensitive information from compromised devices.

AppWizard

November 26, 2025

This new Android malware can control your phone and swipe your banking data

A new malware called Sturnus spreads through sideloaded APKs and can steal chats, banking information, and control devices. It reads decrypted chats, creates fake banking overlays, and can remotely access Android devices. Sturnus disguises itself with fake Android update screens, and users in Europe have already fallen victim to it. The malware is primarily spread through attachments sent via messaging applications and exploits Accessibility settings to read screen content and impose overlays on banking applications. Google has not detected this malware in the Google Play Store, thanks to Play Protect's scanning efforts. Users are advised to exercise caution when downloading APKs.

AppWizard

August 12, 2025

This so-called Android ‘antivirus’ is just a front for spyware

LunaSpy is an Android spyware that has been circulating since February 2025, primarily infiltrating devices through messaging platforms like Telegram. It disguises itself as a legitimate antivirus or banking protection app, tricking users into granting extensive permissions by initiating a fake virus scan and presenting false notifications of threats. Once installed, LunaSpy can steal passwords from browsers and messaging apps, record audio and video, access text messages, track geographical location, and execute commands on the device. The spyware also contains dormant code that may allow it to steal photos in future updates. Data collected by LunaSpy is sent to attackers via around 150 servers. Users are advised against downloading APKs from links shared through messaging apps and should uninstall any unfamiliar antivirus applications that request extensive access to their devices.

AppWizard

June 19, 2025

Malicious Minecraft mods distributed by the Stargazers DaaS target Minecraft gamers

Check Point researchers have discovered a malware campaign targeting Minecraft users, utilizing a distribution-as-a-service model called Stargazers. This malware, disguised as cheat tools, employs Java and .NET stealers to compromise player systems. The attackers have been active since March 2025, using GitHub repositories that appear to offer legitimate mods but contain malicious JAR files. The infection process begins with the installation of a compromised JAR file, which triggers a multi-stage attack that extracts sensitive data from Minecraft and Discord, as well as broader information like browser credentials and cryptocurrency wallet details. The malware is linked to Russian-speaking threat actors, and the Stargazers Ghost Network is identified as the distributor. The report highlights the need for caution when downloading third-party content in gaming communities.

Winsage

May 14, 2025

Microsoft’s upcoming OneDrive update bypasses security protocols between business and personal files

Microsoft is integrating its products into the user experience, with OneDrive being a prominent example. The upcoming June update will introduce a feature called "Prompt to Add Personal Account to OneDrive Sync," which encourages users on business devices to sync files with personal accounts, potentially compromising security by exposing sensitive business data. Many users are unaware they are using OneDrive, leading to confusion and frustration, especially among older individuals. To address concerns about the update, users can consult their IT department to implement policies that disable the synchronization prompt or personal sync altogether.

AppWizard

April 25, 2025

There’s yet another PC ripoff floating around the Nintendo eShop, but this time it’s REPO that’s been robbed: ‘Even the eShop has slip-ups when it comes to allowing fake games’

A game called R.E.P.O Horror was released on the Nintendo eShop, misleading players into believing it was the authentic PC game R.E.P.O. Users reported that R.E.P.O Horror was of low quality and not published by the original developer, Semiwork. This incident is part of a broader trend of intellectual property infringement, as seen with other titles like The Backrooms 1998 and games such as TCG Card Shop Simulator, Only Up!, and Chained Together, which closely resemble their original versions. Consumers are advised to verify developer and publisher details before purchasing games on the Nintendo eShop to avoid counterfeit products. The original R.E.P.O game remains a reputable option in the co-op horror genre, with plans for future enhancements.

AppWizard

March 22, 2025

Nasty Android apps that steal credit cards and passwords downloaded 60 million times

Over 331 applications on the Google Play Store have been identified as potentially compromised by a widespread malware campaign, which has affected millions of Android devices. These malicious apps can steal sensitive information, including passwords and credit card details, and have accumulated over 60 million downloads globally. They often disguise themselves as benign utility applications, such as QR code scanners and fitness tools, and generate revenue through intrusive advertisements. The malware campaign began in April 2024, with many apps initially appearing benign before being updated with malicious components. Some apps can hide their icons and bypass Android security measures, making detection difficult. Victims are primarily located in Brazil, the United States, Mexico, Turkey, and South Korea. Despite Google's efforts to remove many of these apps, some remain active, and users must take proactive measures to protect their devices.

AppWizard

December 25, 2024

Android users who use Amazon are placed on red alert and told to delete app now

A recent alert from McAfee has raised concerns for Android users regarding a health application called BMI CalculationVsn available on Amazon's Appstore. This app, which appears to be a simple Body Mass Index calculator, is capable of recording on-screen activity, accessing private SMS messages, and scanning devices for sensitive information. McAfee discovered that the app secretly steals the package names of installed apps and incoming SMS messages. Following this discovery, McAfee alerted Amazon, which removed the app from its platform. Users who have downloaded the app are advised to uninstall it immediately. McAfee emphasizes the importance of vigilance in digital security, recommending that Android users install reliable antivirus software and carefully review permission requests from apps. Users should also be aware of unusual app behavior, such as decreased device performance, rapid battery drain, and unexpected spikes in data usage, which may indicate malicious activity.

AppWizard

December 23, 2024

Urgent Android warning for anyone who uses Amazon – delete dangerous app now

McAfee's security team discovered a malicious app named "BMI CalculationVsn" in Amazon's Android Appstore, which pretended to be a health tracker but was capable of screen recording, password theft, and accessing private SMS messages. Following the report, Amazon removed the app from its platform, and users who downloaded it are advised to uninstall it immediately. McAfee recommends that Android users install reliable antivirus software, scrutinize permission requests before downloading apps, and monitor app behavior for unusual activity to enhance their security.