fraud Archives

AppWizard

March 9, 2025

Google Confirms Play Store App Deletion—Check Your Phone Now

A report has revealed an extensive ad fraud scheme called "Vapor," which has infiltrated the Google Play Store with over 180 malicious applications that garnered more than 56 million downloads before being removed by Google. These apps, which mimic legitimate applications, primarily target categories like flashlight utilities, QR code readers, and horoscope generators. They initially appear functional but later remove legitimate features in updates, replacing them with intrusive advertisements that hijack the device's interface. Some vapor apps achieved over one million downloads, aided by app install schemes that inflated their rankings. Google has committed to removing violating apps and provides Google Play Protect to safeguard users. Users are advised to be cautious and avoid installing low-value applications to mitigate risks.

AppWizard

March 8, 2025

Badbox is back and a million Android devices were backdoored

Human Security's Satori research team has discovered a new variant of the Badbox malware, known as Badbox 2.0, which has infected nearly a million Android devices, forming a large botnet. This follows the initial outbreak in 2023, where around 74,000 devices were compromised. Badbox 2.0 targets devices running the Android Open Source Project (AOSP), including off-brand smartphones, internet-connected TV boxes, automotive tablets, and digital projectors. Over 200 applications infected with malware have been identified, primarily hosted on third-party app stores, often mimicking legitimate apps from Google’s Play Store. The operation is believed to involve collaboration among four distinct criminal factions, with all infected devices traced back to China. The botnet monetizes through hidden advertisements and ad-click fraud, while also having the capability to steal passwords from infected devices. Efforts by Human Security, Google, Trend Micro, and Shadowserver Foundation have reduced the number of infected devices by half. Many malware modules were labeled "test," indicating the botnet was still developing, and it is expected that the operators will attempt to revive their network using altered tactics. Additionally, a new variant of Mirai malware, named Eleven11bot, has emerged, compromising thousands of devices, particularly targeting HiSilicon-based hardware.

AppWizard

March 6, 2025

BadBox Malware Infects 50,000+ Android Devices via 24 Apps on Google Play

HUMAN's Satori Threat Intelligence and Research team has identified a cyberattack named "BADBOX 2.0," which has compromised over 1 million consumer devices globally through 24 malicious applications on the Google Play Store. The operation utilizes a backdoor called BB2DOOR for persistent access to infected devices, primarily distributed via pre-installed apps on low-cost Android devices and third-party marketplaces. Four threat actor groups—SalesTracker Group, MoYu Group, Lemon Group, and LongTV—collaborate in this operation, which supports fraudulent activities such as residential proxy services, programmatic ad fraud, and click fraud, generating up to 5 billion fraudulent bid requests weekly. Despite efforts by HUMAN and Google to disrupt BADBOX 2.0, the threat actors may continue their operations due to the resilience of their supply chain. Users are advised to download apps only from official marketplaces to reduce infection risks.

AppWizard

March 6, 2025

Google confirms mass app deletion on Play Store after ad fraud

Google removed over 180 applications from the Play Store due to an ad fraud scheme that misled advertisers into paying for non-existent user engagement, affecting more than 56 million downloads. The fraudulent apps, known as vapor apps, were disguised as legitimate applications and featured persistent advertisements that made uninstallation difficult. Google collaborated with Integral Ad Science (IAS) to identify and eliminate these apps. Despite implementing security patches, the most effective solution was the complete removal of the offending applications. Google stated that Google Play Protect would warn users and disable these apps, even if they came from outside sources.

AppWizard

March 6, 2025

Android App With 220,000+ Downloads From Google Play Installs Banking Trojan

A sophisticated Android banking trojan campaign, known as Anatsa or TeaBot, has been downloaded over 220,000 times from the Google Play Store before its removal. The malware targets global financial institutions using a multi-stage infection process, deploying fake login overlays and exploiting accessibility services to steal user credentials and perform unauthorized transactions. The malicious app disguised itself as a "File Manager and Document Reader" and acted as a dropper, retrieving additional payloads from remote servers. It uses reflection-based code execution to evade detection and conducts anti-emulation checks to confirm it is on a genuine device. Anatsa requests critical permissions, including accessibility services and SMS access, to log keystrokes and bypass two-factor authentication. The campaign primarily targets users in Europe, especially Slovakia, Slovenia, and Czechia, but has the potential to expand to markets like the U.S., South Korea, and Singapore. It targets over 600 banking and cryptocurrency applications, enabling on-device fraud through automated transaction systems. Users are advised to avoid sideloading apps, audit app permissions, and monitor for updates from official stores. Google has removed the identified dropper, but similar threats persist. Indicators of compromise include specific network URLs and an MD5 hash for a sample.

AppWizard

March 6, 2025

Malicious Android App on Google Play Compromises 220,000+ Devices

Security researchers at ThreatLabz have identified a malware campaign operating through the Google Play Store that disseminated the Anatsa banking trojan, also known as TeaBot. The malicious app, disguised as a file manager and document reader, was downloaded over 220,000 times before its removal. The app initiated a multi-stage payload retrieval process after users granted accessibility permissions, allowing it to download the Anatsa payload and turn infected devices into tools for financial fraud. Anatsa uses overlay attacks and credential harvesting techniques, displaying fake login screens for banking applications to capture user credentials. It targets financial institutions across North America, Europe, and Asia, particularly mobile banking platforms. The malware employs evasion techniques, including delayed activation and encrypted communication, and maintains persistence by checking for accessibility service permissions. Initial data indicates concentrated infections in regions with high mobile banking usage, and the app's multilingual interface suggests a global targeting strategy. Google removed the app within 48 hours of the disclosure but it had been present for approximately eight weeks before detection. Google has initiated a mass uninstallation campaign for affected devices, while users are advised to perform factory resets, monitor financial accounts, enable Google Play Protect, and avoid granting permissions to unfamiliar apps. Investigations are ongoing to identify the threat actors, with links to Eastern European cybercrime syndicates suggested.

AppWizard

March 6, 2025

BadBox Malware from Google Play Hacked 50,000+ Android Devices Using 24 Apps

HUMAN Security’s Satori Threat Intelligence team has identified a malware operation called “BADBOX 2.0,” which has compromised over 50,000 Android devices through 24 deceptive applications. This operation is an escalation from the original BADBOX campaign detected in 2023. The malware primarily targets low-cost, off-brand Android Open Source Project devices, including TV boxes, tablets, digital projectors, and vehicle infotainment systems. A backdoor named “BB2DOOR” provides threat actors with persistent access to the compromised systems. Four groups of threat actors—SalesTracker Group, MoYu Group, Lemon Group, and LongTV—are involved, using shared infrastructure for various fraud schemes. The malicious applications mimic legitimate apps in the Google Play Store, generating up to 5 billion fraudulent ad requests weekly. In response, Google has enhanced its protections, including blocking BADBOX behavior during app installation and terminating associated publisher accounts. Infected devices were found to be uncertified Android Open Source Project devices from China. Users are advised to verify certification and avoid unofficial app sources.