malicious Android apps Archives

AppWizard

March 26, 2025

Malicious Android Apps Evade Detection: McAfee

Cybercriminals are using Microsoft’s .NET MAUI framework to create advanced Android malware that bypasses security measures and compromises user data. A study by McAfee researchers highlights a rise in malicious apps developed with this tool since its introduction in May 2022. These apps often impersonate legitimate applications, particularly from financial institutions, and are distributed through third-party websites or alternative app stores. One example is a counterfeit app mimicking the official IndusInd Bank app, targeting users in India to extract sensitive information. Another variant targets Chinese-speaking users by disguising itself as a social networking service. The malicious apps are designed to be subtle, with harmful code concealed as blob files within the assemblies directory, making detection difficult for antivirus solutions. Hackers use multi-stage dynamic loading, where the Android executable file is loaded in three stages, each encrypted until execution. They also manipulate the AndroidManifest.xml file by adding excessive permissions, complicating analysis and detection. Additionally, attackers replace standard HTTP requests with encrypted TCP socket connections to evade security software. These evolving tactics indicate a potential increase in similar mobile malware threats in the future.

AppWizard

March 25, 2025

Malicious Android Apps Hide in Plain Sight, Target Millions of Devices

A malicious Android app campaign called “Vapor” has been discovered, designed to trick users into revealing sensitive information through misleading ads. This campaign includes various apps posing as utilities, such as QR code scanners and health trackers, with over 60 million downloads collectively. It primarily targets users in Brazil, the United States, and Mexico. Some apps have evaded detection by not showing harmful behavior immediately after installation and by disguising themselves. They use tactics like inundating users with full-screen ads and employing scare tactics to prompt downloads of additional harmful apps. The campaign may be run by a single cybercriminal group or a coalition, utilizing shared malware development tools. Despite Google removing many harmful apps, new variants continue to emerge, highlighting the evolving nature of mobile malware.

AppWizard

March 19, 2025

These malicious Android apps were installed over 60 million times – here’s how to stay safe

Cybersecurity experts from Bitdefender discovered an ad fraud scheme involving over 300 Android applications that collectively had more than 60 million downloads from the Google Play Store. These apps, which appeared as utility tools like QR scanners and health apps, mainly targeted users with older Android versions (Android 13 and earlier) and first appeared in the third quarter of 2024. As of the research's completion, only 15 of the identified apps were still active, with most affected users located in Brazil, and others in the United States, Mexico, Turkey, and South Korea. The deceptive apps concealed their icons, displayed intrusive ads without user consent, and attempted to harvest sensitive information. Many of these harmful apps have been removed from the Play Store, but users with them installed remain vulnerable. Signs of compromise include lagging, excessive ads, overheating, or unexpected data usage. Users are advised to uninstall suspicious apps and to use the latest version of Android, currently Android 15.

AppWizard

March 18, 2025

Hundreds of malicious Android apps with 60 million downloads found spamming Android users with ads and stealing credentials

Bitdefender has identified at least 331 malicious applications on the Google Play Store, which have been downloaded over 60 million times. These apps, including QR code scanners and simple games, can display intrusive advertisements and compromise user data. A list of some remaining malicious apps includes ShapeUp, Beautiful Day, Destiny Book, Dropo, Handset Locator, Body Scale, Cache Sweep TEL: Clean, Five in a Row, Massm BMI, and Water Note. Many of these apps can bypass Android security measures, initiate without user interaction, and may launch phishing attacks. Users are advised to avoid these apps, manually remove any malicious apps they may have installed, and enable Google Play Protect for added security.

AppWizard

February 17, 2025

Government-linked Italian spyware maker caught distributing malicious Android apps

Recent investigations have revealed a connection between the spyware Spyrtacus and the Italian developer SIO, which supplies products to the Italian government. At least three Android applications, disguised as popular services like WhatsApp, have been identified as spyware. This discovery was first reported by an anonymous security researcher in late 2024, leading TechCrunch to notify Google and cybersecurity firm Lookout, both of which confirmed the presence of malicious code in these applications. Researchers traced a connection between SIO and Spyrtacus back to ASIGINT, a subsidiary of SIO that develops "computer wiretapping" software. SIO is listed as the cert holder for a product named SIOAGENT, owned by ASIGINT. ASIGINT's CEO, Michele Fiorentino, acknowledged his involvement in the 'Spyrtacus Project' at DataForense, another company linked to SIO’s servers. Lookout's Kristina Balaam identified 13 samples of Spyrtacus from 2019 to October 2024. Google spokesperson Ed Fernandez stated that no apps containing this malware are currently on Google Play, with protective measures in place since 2022. However, a 2024 Kaspersky report indicated that Spyrtacus has shifted from Google Play to deceptive replicas of Italian internet service provider websites. The Italian government has a history of facilitating spyware manufacturers, exemplified by Israeli developer Paragon Solutions terminating its contract with the government in February 2025 after breaching privacy ethics. Additionally, Italian telephone operators have engaged in surveillance activities, compensated by the justice ministry, raising concerns about the presence of spyware companies in Italy over the past two decades.

AppWizard

February 3, 2025

Over 2 million risky Android apps were blocked from the Play Store last year

Google blocked 2.36 million malicious Android apps from its Play Store in 2024 and took action against 158,000 developer accounts attempting to introduce malware and spyware. The company acknowledges that some dangerous apps may still appear on third-party websites and encourages users to utilize Google’s Play Protect system. Google attributes its success in blocking malicious apps to advancements in artificial intelligence, which has improved threat detection.

AppWizard

December 5, 2024

Warning: These 12 Android Apps Could Be Listening to Your Conversations

Smartphones have become essential tools for communication and financial management, but they also expose users to privacy risks. Cybersecurity investigations have found that certain Android applications may secretly record conversations and steal personal information. A report by cybersecurity firm ESET identified malicious apps distributed via Google Play and third-party channels that masquerade as legitimate tools. One tactic used by hackers involves initiating romantic dialogues on platforms like Facebook Messenger or WhatsApp to gain victims' trust before persuading them to install infected apps, such as those containing the VajraSpy Trojan. Malicious applications fall into three groups: 1. Standard Messaging Apps with Hidden Trojans: Apps like Hello Chat, MeetMe, and Chit Chat request access to contacts and phone numbers while secretly gathering sensitive data. 2. Apps Exploiting Accessibility Features: Apps like Wave Chat use Android’s accessibility features to intercept communications from secure applications, eavesdropping on conversations and capturing notifications. 3. The Single Non-Messaging App: Nidus, a news application, requests sensitive information despite lacking messaging capabilities. A list of 12 identified malicious apps includes Rafaqat, Privee Talk, MeetMe, Let’s Chat, Quick Chat, Chit Chat, YohooTalk, TikTalk, Hello Chat, Nidus, GlowChat, and Wave Chat. Six of these were available on the Google Play Store and had over 1,400 downloads before removal. To protect privacy, users should uninstall suspicious apps, change passwords, enable two-factor authentication, run security scans, and exercise caution when downloading apps.

AppWizard

December 3, 2024

Google removes several active Android “SpyLoan” apps after McAfee detects over eight million downloads

Android users are facing a persistent threat from SpyLoan applications, which are malicious apps designed to deceive individuals into seeking quick loans. A recent investigation by McAfee identified fifteen new SpyLoan apps that have collectively been downloaded eight million times. Although Google has removed these apps from the Play Store, experts expect the threat to continue as cybercriminals adapt their tactics. These apps, categorized as potentially unwanted programs (PUPs), use social engineering to collect sensitive user information by presenting themselves as legitimate financial tools. Users often receive less than the promised loan amount while being required to repay the full sum along with additional fees. In December 2023, Google removed a previous batch of SpyLoan apps that had over twelve million downloads. The latest campaigns are targeting regions like Latin America, Southeast Asia, and Africa, using methods such as requiring a one-time password for download validation. Users are pressured to provide personal information, including identification, employment details, and banking data, which can then be used for harassment and blackmail.

AppWizard

October 23, 2024

Delete These 12 Android Apps That Record Your Conversations – Jason Deegan

Security researchers at ESET have identified twelve malicious Android apps capable of recording audio in the background and other intrusive actions. Six of these apps were distributed through the Google Play Store, while the other six were disseminated through less direct means. One tactic used by hackers involves posing as romantic interests on messaging platforms to persuade targets to download infected apps containing the VajraSpy Trojan. The malicious apps fall into three categories: 1. Infected messaging apps that steal personal information and run a Trojan in the background. 2. Apps that exploit accessibility features to intercept communications on WhatsApp and Signal, with one app, Wave Chat, capable of recording phone calls and ambient sounds. 3. A disguised news app that requests personal information and can intercept contacts and files. The identified malicious apps to uninstall include Rafaqat, Privee Talk, MeetMe, Let’s Chat, Quick Chat, Chit Chat, YohooTalk, TikTalk, Hello Chat, Nidus, GlowChat, and Wave Chat. The first six were downloaded over 1,400 times from the Google Play Store before being removed.

AppWizard

July 31, 2024

Cybercriminals Deploy 100K+ Malware Android Apps to Steal OTP Codes

A malicious campaign targeting SMS messages through harmful Android applications has been active since at least February 2022, involving over 107,000 unique malware samples designed to intercept one-time passwords (OTPs) for identity fraud. A report from Zimperium indicates that 99,000 of these malware apps were previously unknown and not found in common repositories. The campaign affects victims in 113 countries, with India and Russia being the most impacted. The malware is installed via deceptive ads or Telegram bots and monitors incoming SMS messages for OTPs. The perpetrators remain unidentified but accept various payment methods, including cryptocurrency, for a service called Fast SMS, which allows access to virtual phone numbers for fraudulent activities. Additionally, Positive Technologies has identified SMS stealers targeting Android users in specific countries, and other malware variants use Telegram as command-and-control servers.