Downloader Archives

AppWizard

May 26, 2026

3 useful sideloaded Android Auto apps you won’t find in the Play Store

The text discusses the versatility of Android Auto, particularly through the ability to sideload apps that enhance the in-car experience. Key apps mentioned include: - AA Browser: Allows users to surf the web in their car. To install it, users need the Android Auto Apps Downloader (AAAD) and must enable Developer Mode on their Android device and in Android Auto. - CarStream: A sideloaded app that enables access to YouTube content in vehicles that support Android Auto. It requires a strong data connection and should only be used when parked. - Screen2Auto: An app that mirrors a phone's display to the car's infotainment system, allowing access to websites and streaming services without additional logins. It also requires permissions to function. - Fermata Auto: An all-in-one sideloaded app supporting various streaming platforms, which the author plans to explore further.

AppWizard

May 23, 2026

Android ruined link handling years ago. Here’s how I fixed it with a free app

LinkSheet is an open-source application designed to improve link-handling on Android devices by reinstating the "Open with" dialog, allowing users to choose their preferred app for opening links. It intercepts links when set as the default browser, enabling users to select from multiple apps instead of being restricted to verified ones. LinkSheet also allows users to open links in incognito mode for privacy and control over browsing habits. Users can download LinkSheet from its GitHub repository, as it is not available on the Google Play Store. After installation, users can configure their apps to prevent them from opening verified links directly. Additional features include the Use ClearURLs option to remove tracking parameters and an Enable downloader feature for direct download links.

AppWizard

May 7, 2026

Milestone 1.0.0 Release of APK Downloader `apkeep` Powers Research on

Last week, apkeep released version 1.0.0, marking a significant milestone after four years of development. This version includes features such as the ability to download a dex metadata file linked to an app with a Cloud Profile, anonymous login for app downloads via a token from the Aurora Store, the option to specify device profiles for app downloads, and a fix for an authentication bug caused by the Play Store API. apkeep is now also available through Homebrew for macOS users. The new features are influenced by researchers, particularly the dex metadata download capability, which aids in studying Android compilation profiles. Various research projects, including Exodus Privacy and a study on Android evasive malware, have utilized apkeep. The project aims to expand support for additional app providers beyond Google Play, including F-Droid. Users are encouraged to share their experiences and consider donating to support the project.

BetaBeacon

May 5, 2026

ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows

ScarCruft compromised a video game platform in a supply chain attack, trojanizing its components with a backdoor called BirdCall to target ethnic Koreans residing in China. The attack enabled the threat actors to target both Windows and Android devices, turning it into a multi-platform threat. The campaign targeted sqgame[.]net, a gaming platform used by ethnic Koreans in China, known as a transit point for North Korean defectors. BirdCall has features like screenshot capture, keystroke logging, and data gathering, and relies on legitimate cloud services for command-and-control. The Android variant collects various data and has seen active development.

AppWizard

April 15, 2026

Top Android Apps You Won’t Find On Google Play Store

The Google Play Store does not include every app desired by users due to strict privacy, security, and content moderation policies, leading to the growth of third-party platforms and APK-based tools. Notable apps outside the Play Store include: - BombitUp: A prank app that allows users to send multiple SMS messages, popular among younger users, but excluded from the Play Store due to potential misuse. - 9Apps: An alternative app store developed by Alibaba Group, offering a variety of apps, games, and older versions of applications, particularly popular in regions lacking Play Store access. - Snaptube: A video downloader for platforms like YouTube and Facebook, absent from the Play Store due to policy violations but sought after for offline video access. - VidMate: A comprehensive video downloading app that also provides access to live TV, movies, and music, maintaining popularity despite not being available in official app stores. - Honista: A modified version of Instagram that enhances privacy and customization options, appealing to users wanting more control over their social media experience. - Lucky Patcher: A tool for advanced users that allows modifications to app permissions and ad removal, requiring technical knowledge and sometimes root access, leading to its exclusion from the Play Store. - APKPure: An alternative app store that focuses on providing safe and verified APK files, emphasizing security and access to region-locked apps or older versions. These applications cater to specific user needs that are often overlooked by mainstream platforms.

Tech Optimizer

April 6, 2026

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that impersonate Strapi CMS plugins. These packages exploit Redis and PostgreSQL, deploy reverse shells, harvest credentials, and establish persistent implants. Each package consists of three files—package.json, index.js, and postinstall.js—without descriptions or repositories, and all use version 3.6.8 to mimic legitimate Strapi plugins. The malicious packages follow a naming convention starting with "strapi-plugin-" and were uploaded by four accounts within 13 hours. The identified packages include names like strapi-plugin-cron, strapi-plugin-database, and strapi-plugin-server. The malicious code is embedded in the postinstall script, executing automatically upon installation with the same privileges as the user. The payloads evolve from exploiting Redis for remote code execution to attempting direct PostgreSQL database exploitation and deploying persistent implants for remote access. The campaign appears to target cryptocurrency platforms, as indicated by the focus on credential theft and digital assets. Users of these packages are advised to assume compromise and rotate credentials. This incident reflects a broader trend of supply chain attacks in the open-source ecosystem, with recent examples including credential exfiltration payloads in GitHub repositories and compromised GitHub Actions workflows. Group-IB reported that software supply chain attacks are increasingly reshaping the cyber threat landscape, targeting trusted vendors and open-source software to gain access to downstream organizations.

Winsage

April 6, 2026

ResokerRAT Hijacks Telegram API to Command Infected Windows PCs

A newly discovered Windows malware called ResokerRAT uses Telegram’s Bot API for its command-and-control operations, allowing it to monitor and manipulate infected systems without a conventional server. It obscures its communications by integrating with legitimate Telegram traffic, complicating detection. Upon execution, it creates a mutex to ensure only one instance runs and checks for debuggers to avoid analysis. It attempts to relaunch with elevated privileges and logs failures to its operator. ResokerRAT terminates known monitoring tools and installs a global keyboard hook to obstruct defensive key combinations. It operates through text-based commands sent via Telegram, allowing it to check processes, take screenshots, and modify system settings to evade detection. Persistence is achieved by adding itself to startup and altering UAC settings. The malware retrieves additional payloads from specified URLs and uses URL-encoded data for communication. Researchers have confirmed its Telegram traffic, and its behavior aligns with various MITRE ATT&CK techniques. Security teams are advised to monitor for unusual Telegram traffic and scrutinize registry keys related to startup and UAC.

AppWizard

March 11, 2026

How to update the OS and All Apps on a Google TV or Android TV device

To ensure optimal performance of streaming devices, both the operating system and applications need to be updated. Users often update the operating system but may overlook app updates, which can lead to issues, especially after setting up a new device or performing a factory reset. An example of a problematic app is the outdated WebView, which can cause downloading errors in applications like Downloader. Operating System Updates: 1. Go to Settings > System (or Device Preferences on Android TV) > About > System update to check for and install OS updates. App Updates: 1. Open the Google Play Store, click the round Profile Icon in the upper-right corner, select Manage apps & games, then Updates, and choose Update all if updates are available.

Winsage

March 2, 2026

Fake Xeno and Roblox Utilities Used to Install Windows RAT, Microsoft Warns

Cybersecurity experts at Microsoft Threat Intelligence have identified a trend where attackers distribute counterfeit gaming tools that install a remote access trojan (RAT) on users' systems. These trojanized executables, such as Xeno.exe or RobloxPlayerBeta.exe, are shared through browsers and chat platforms. The initial executable acts as a downloader, installing a portable Java runtime environment and launching a harmful Java archive, jd-gui.jar. Attackers use built-in Windows tools to execute commands via PowerShell and exploit trusted system binaries, minimizing detection risk. The embedded PowerShell script connects to remote locations, downloads an executable as update.exe, and executes it. The malware erases evidence of the downloader and modifies Microsoft Defender settings to allow RAT components to function undetected. It establishes persistence through scheduled tasks and a startup script named world.vbs, enabling prolonged access to the compromised device. Microsoft Defender can detect the malware and its behaviors, and organizations are advised to monitor outbound traffic and block identified domains and IP addresses. Users are encouraged to scrutinize Microsoft Defender exclusions and scheduled tasks for irregularities and remain cautious about downloading tools from unofficial sources.

AppWizard

February 17, 2026

This new Android feature is amazing, but I’m scared for its future

Android 16 introduced Live Updates, a feature that prioritizes important notifications like transit directions and Uber progress, making them easily accessible without needing to open the app. Live Updates display information in a bubble or chip in the status bar, allowing users to glance at their screens for essential updates. This feature is particularly useful for public transport users and drivers, as it integrates seamlessly into the Android interface, appearing in the notification drop-down, on the lock screen, and on the always-on display. However, the adoption of Live Updates among developers has been low, with only a few apps like Uber, byAir, and Flud utilizing it effectively. Many Google applications, such as the Clock app and the Google app, have not integrated Live Updates, raising concerns about the feature's future viability.