IP address Archives

AppWizard

May 19, 2026

Russia’s State-Mandated Max Messenger Reportedly Hides Powerful Tracking Tools

The state-mandated messenger Max, developed by VK and supported by the Kremlin, is preinstalled on all new smartphones in Russia as of September 1, 2025, and is designed to function during internet blackouts. Following WhatsApp's ban in February 2026, officials have promoted Max as a "sovereign" alternative to Western messaging platforms. A reverse-engineering study revealed numerous surveillance features in Max, including VPN detection that restricts access until VPNs are disabled, real-time monitoring of contact lists, NFC control for manipulating the phone's NFC chip, silent message deletion, IP address tracking, a persistent hardware identifier, the creation of fake chats and reviews, and code injection capabilities. The study also found an on-device machine-learning system that detects keywords from audio input and the ability to record microphone audio during calls without user notification. Additionally, Max monitors access to foreign services and compiles sensitive user information into reports sent to analytics channels. The integration of Max is part of Moscow's broader initiative to consolidate internet traffic through state-controlled platforms, even reaching the International Space Station for communication purposes. Critics view the promotion of Max as part of a strategy to establish a "sovereign" communications system, raising concerns about digital privacy and freedom in Russia.

Tech Optimizer

May 17, 2026

Norton 360 explained: features, protection and US use

Norton 360 is a subscription-based security suite developed by Gen Digital, designed to protect various devices, including Windows PCs, Macs, smartphones, and tablets, from threats like malware and phishing attacks. It includes features such as antivirus and anti-malware scanning, a smart firewall, a password manager, a secure VPN, and dark web monitoring. The suite operates quietly in the background, continuously monitoring for malicious behavior. Norton 360 is marketed in the US and available in Europe and Asia-Pacific, targeting households with multiple devices and online accounts. Gen Digital, the company behind Norton 360, is publicly traded on Nasdaq under the ticker GEN.

AppWizard

May 15, 2026

Android 16 VPN Bypass Lets Apps Reveal Users’ Real IP Address

A security vulnerability in Android 16 allows malicious applications to expose a user's real IP address, even with "Always-On VPN" and "Block connections without VPN" features activated. Discovered by security researcher 0x33c0unt and disclosed on April 30, 2026, the flaw exploits the registerQuicConnectionClosePayload feature, which lacks permission checks. This vulnerability has been verified on a Pixel 8 with Proton VPN active. Google has not released a patch, but users can disable the feature via ADB commands.

AppWizard

May 15, 2026

Android 16 Bug Allows Apps to Ignore VPNs and Leak IP Addresses

Android 16 may have a vulnerability that allows applications to bypass VPN protections, potentially exposing users' IP addresses. A security engineer reported this issue through Google’s Vulnerability Reward Program, but Google's security team deemed it "infeasible" to address. The vulnerability lies within the ConnectivityManager system service, which circumvents the VPN tunnel, leading to unencrypted traffic and exposure of sensitive information. This issue persists even with "Always-on VPN" or "Block connections without VPN" features enabled. Although there is no confirmed exploitation of this vulnerability, it poses ongoing risks for users. GrapheneOS has patched the issue, indicating a fix is possible. A debug command has been identified as a temporary workaround for affected users, but it requires caution and understanding of USB debugging mode.

AppWizard

May 14, 2026

‘Won’t Fix’—All VPN Apps Affected As Google Android 16 Leaks Info

A significant vulnerability in Android 16 undermines VPN protections across all applications, allowing user traffic to leak outside the secure VPN tunnel. The “Always-On VPN” and “Block connections without VPN” settings are ineffective, potentially exposing users' real IP addresses. The issue was highlighted by security researcher Yusef, who noted that Google dismissed the problem as “Won’t Fix.” Mullvad VPN also reported the vulnerability, which affects all VPN applications on Android 16. The flaw involves a Binder method on ConnectivityManager that allows an attacker app to leak the user's real IP address without proper permission checks. Current mitigation options are limited and not advisable for average users, with a suggestion to switch to Graphene OS, which has addressed the vulnerability.

AppWizard

May 11, 2026

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

Modern Android banking malware is evolving with architectural enhancements for increased stealth, resilience, and operational flexibility. In early 2026, a new variant of the TrickMo Android banking trojan was identified, actively targeting banking and wallet users in France, Italy, and Austria. This variant has replaced its predecessor in ongoing campaigns and has transitioned its command-and-control traffic to The Open Network (TON). Key features of the new TrickMo variant include: - The primary command-and-control channel now operates over TON, utilizing .adnl endpoints through an embedded local TON proxy. - It employs a runtime-loaded APK (dex.module) with enhanced functionalities, including reconnaissance, SSH tunneling, and SOCKS5 proxying, allowing infected devices to act as network pivots. - TrickMo is classified as Device Take Over (DTO) malware, targeting banking, fintech, wallet, and authenticator applications on Android devices. - Operators gain control over infected devices through accessibility-service permissions, enabling capabilities such as credential phishing, keylogging, screen recording, remote control, and SMS interception. The new variant features a modular architecture with a host APK functioning as a launcher and persistence layer, while offensive capabilities are delivered through the dynamically loaded dex.module. Significant enhancements include network reconnaissance commands (curl, dnslookup, ping, telnet, traceroute) and socket-level tunneling via an embedded SSH client. Indicators of compromise include specific SHA-256 hashes and package names associated with TrickMo dropper applications and host applications. The malware retains unused permissions for NFC capabilities, suggesting a strategic approach to device filtering.

BetaBeacon

May 5, 2026

ScarCruft hackers push BirdCall Android malware via game platform

APT37, also known as ScarCruft and Ricochet Chollima, has developed an Android version of the backdoor BirdCall, which serves as spyware in addition to a backdoor. The malware was delivered through a Chinese website that hosts games for Android, iOS, and Windows, targeting only Android and Windows systems. The Android variant of BirdCall has capabilities such as extracting IP geolocation information, collecting contact lists, call logs, SMS data, device information, taking screenshots, recording audio, and exfiltrating files. Users are advised to download software only from official marketplaces and trusted publisher sites to protect against malware infections.

AppWizard

April 30, 2026

LofyStealer Targets Minecraft Players via Node.js Loader and Browser Injection

Minecraft players are being targeted by a deceptive hacking tool called “Slinky,” which is actually an infostealer known as LofyStealer linked to the Brazilian cybercrime group LofyGang. The malware uses a Node.js-based loader and a C++ payload to extract sensitive browser data, disguising itself as a Minecraft hack. It primarily targets younger players who may unknowingly execute it. The malware operates through a two-stage architecture, with a 53.5 MB loader binary that injects a smaller 1.4 MB payload into browser processes, bypassing detection methods. It collects sensitive information such as cookies, passwords, and credit card details, compressing and encoding the data for exfiltration. The command-and-control (C2) infrastructure is hosted in Brazil, and the malware's design reflects advanced compilation techniques. The campaign is attributed to LofyGang, which has evolved into a more professional entity, posing severe risks to players who download cheats and cracked tools. Indicators of compromise include a specific C2 IP address and associated endpoints.

AppWizard

April 30, 2026

Minecraft Players Targeted by LofyStealer Using Node.js Loader and In-Memory Browser Injection

A new infostealer malware called LofyStealer is targeting the gaming community, particularly Minecraft players, by disguising itself as a cheat tool named “Slinky.” It employs a two-stage attack to extract sensitive information from eight major web browsers, including Chrome and Firefox, while evading detection by security software. The malware siphons off cookies, saved passwords, payment card information, and session tokens. Researchers at Zenox.ai identified LofyStealer, linking it to the Brazilian cybercrime group LofyGang, which has been active since October 2022. The malware uses social engineering tactics to appear legitimate and operates as a Malware-as-a-Service platform, offering both Free and Premium tiers to buyers. Its technical sophistication is evident in its method of in-memory browser injection, which allows it to bypass security defenses. The stolen data is compressed and sent to a command-and-control server. Users are advised to avoid downloading unofficial game mods and enable multi-factor authentication to reduce the risk of credential theft. Security teams should monitor for specific behavioral indicators related to the malware's operations.

AppWizard

April 14, 2026

Mirax RAT Targets Android Devices Through Meta Apps

Mirax is a remote access Trojan (RAT) targeting Android devices in Spanish-speaking countries, identified by Outpost24's KrakenLabs in early March. It propagates fraudulent advertisements on Meta-owned applications, allowing cybercriminals to gain initial access. Mirax can interact with compromised devices in real time, converting them into residential proxy nodes through ads on platforms like Facebook and Instagram. It uses SOCKS5 protocol and Yamux multiplexing to establish proxy channels and uncover victims' IP addresses. The malware captures keystrokes, steals sensitive data, executes commands, and monitors user activity. It employs overlay pages to steal credentials and orchestrates distribution through Meta ads and GitHub for malicious APK files. Users are tricked into enabling installations from "unknown sources," and the malware disguises itself behind video playback features. Additionally, a threat actor has been offering Mirax as a malware-as-a-service (MaaS) on illicit forums, with subscription prices starting at ,500 for three months. This service is described as highly controlled and exclusive, primarily targeting Russian-speaking actors in underground communities.