malicious app Archives

Tech Optimizer

December 30, 2025

How to Run an iPhone Malware Scan: Find and Remove Viruses

iPhones do not support traditional antivirus applications due to iOS's app sandboxing feature, which limits apps' access to system-level data. Users can identify potential malware by monitoring for unusual behaviors, such as overheating, fast battery drain, unexpected data usage spikes, unwanted Safari pop-ups, unfamiliar apps, repeated login prompts, and strange messages sent from their accounts. To investigate for malware, users should check device performance, review storage and data usage, monitor battery usage, and look for jailbreak indicators. If malware is suspected, users can take steps such as updating iOS and apps, restarting the device, deleting suspicious apps, clearing Safari data, removing unknown profiles, resetting network settings, restoring from a clean backup, or performing a factory reset as a last resort. iOS includes built-in protections against malware, such as App Store reviews, sandboxing, code signing, and regular security updates. However, iPhones are not completely immune to threats, and jailbreaking increases vulnerability. To protect against malware, users should keep iOS and apps updated, use strong passcodes, avoid jailbreaking, be cautious with links and attachments, use secure browsers, and consider using a VPN on public Wi-Fi. CyberGhost VPN can provide additional security on unsecured networks by encrypting internet traffic. While iPhones do not have built-in malware scanners, they incorporate various protections to prevent malware from reaching the device. Signs of potential malware include overheating, rapid battery drain, unexpected data usage spikes, and unusual app behavior. Malicious apps can occasionally bypass App Store scrutiny, and users should take immediate action if they suspect an infection. Generally, iPhones are considered more secure than Android devices due to stricter app controls.

AppWizard

December 18, 2025

Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

A new Android malware campaign has been launched by the North Korean threat actor Kimsuky, introducing a variant called DocSwap. This malware is distributed via QR codes on phishing websites that impersonate CJ Logistics. Attackers use QR codes and notification pop-ups to lure victims into downloading the malware, which decrypts an embedded APK and activates Remote Access Trojan (RAT) capabilities. The malicious app is disguised as a legitimate application to bypass Android's security measures. Victims are tricked into installing the app through smishing texts or phishing emails that mimic delivery companies. The app downloads an APK named "SecDelivery.apk," which then loads the malware. It requests permissions to access various device functions and registers a service that simulates an OTP authentication screen. The app connects to an attacker-controlled server, allowing execution of commands such as logging keystrokes, capturing audio, and gathering sensitive information. Additionally, two other malicious samples have been identified, disguised as a P2B Airdrop app and a trojanized version of the BYCOM VPN app. The campaign also includes phishing sites mimicking popular South Korean platforms to capture user credentials.

AppWizard

November 29, 2025

The Spy in Your Pocket: How Ordinary Android Apps Are Turning Into Dangerous Spyware

Numerous commonly used Android applications, often appearing harmless, can contain malicious code that functions as spyware. These applications, which include phone cleaners, file managers, and wallpaper apps, can record screens, capture keystrokes, access microphones and cameras without consent, and transmit data to unknown servers. Uninstalling these apps may not eliminate the threat, as they can remain hidden. Users often grant unnecessary permissions to these apps, inadvertently allowing cybercriminals access to personal data. Recent cybersecurity assessments indicate a rise in mobile malware attacks, particularly in India, where weak enforcement and low awareness contribute to the problem. Spyware can drain device resources, leading to rapid battery depletion and lagging performance. Additionally, these apps can steal personal information, enabling identity theft and ongoing repercussions. Trusting apps solely based on their presence in the Play Store is a misconception, as modern spyware can bypass initial checks. To stay safe, users should verify developers, decline unnecessary permissions, conduct security scans, avoid third-party APKs, and keep their devices updated.

AppWizard

November 13, 2025

Google will let ‘experienced users’ keep sideloading Android apps

Google is revising its approach to app installation on Android devices, particularly for applications from unverified developers. Initially, a stringent verification requirement was announced, mandating developers to disclose personal information, which faced backlash for undermining user autonomy. Despite this, Google has introduced a more flexible option for “experienced users” to install apps from unverified sources with protective measures and warnings about potential risks. Additionally, a new type of developer account for students and hobbyists will bypass the comprehensive verification process, allowing easier access for emerging developers with restrictions on app installations. The verification process rollout is set for 2026 in select countries, with global expansion planned for 2027. Google is also navigating a settlement with Epic Games that may reduce developer fees and allow officially recognized third-party app stores.

AppWizard

November 5, 2025

6 Android apps reportedly recording users’ conversations

Recent investigations have identified a series of malicious Android applications capable of spying on users by extracting messages from platforms like WhatsApp and Signal, and recording conversations without consent. One such app, WaveChat, can capture background audio even when the microphone is not in use. These apps deploy a remote access trojan (RAT) called VajraSpy and are primarily targeting users in India and Pakistan, with only about 1,400 downloads noted. A total of 12 spyware apps were identified, including six available on the Google Play Store. These include Privee Talk, MeetMe*, Let’s Chat, Quick Chat, Rafaqat رفاق, and Chit Chat. Users are advised to be cautious about app permissions and to download applications only from reputable sources. ESET researchers also discovered two spyware apps posing as the Android Signal app, targeting users in the United Arab Emirates. One malicious app exploited the popularity of a Pakistani cricket player, although he is not involved in the malicious activity. The development of these spyware apps is attributed to Patchwork APT.

AppWizard

October 30, 2025

NFC Relay Attack: 700+ Android Apps Harvest Banking Login Details

Researchers at zLabs have identified over 760 malicious Android applications that exploit Near Field Communication (NFC) technology to steal banking credentials and facilitate fraudulent transactions. This cybercrime campaign has expanded from isolated incidents in April 2024 to a widespread operation targeting financial institutions in countries including Russia, Poland, the Czech Republic, Slovakia, and Brazil. The malware utilizes social engineering tactics by impersonating around 20 legitimate banking institutions and government services, such as VTB Bank, Tinkoff Bank, and the Central Bank of Russia. The malware ecosystem is supported by over 70 command-and-control servers and private Telegram channels for data exfiltration. Attackers deceive victims into granting dangerous NFC permissions, allowing the malware to intercept payment data during contactless transactions. Some campaigns use paired applications for data extraction and fraudulent purchases, while others focus solely on data exfiltration. The malware maintains communication with its command-and-control infrastructure, enabling real-time relay attacks to conduct transactions using victims' payment credentials. The rapid spread of this NFC-based payment malware highlights the adaptability of cybercriminals as contactless payment technologies become more common. Financial institutions are urged to enhance fraud detection systems, mobile device manufacturers should tighten NFC permission controls, and users are advised to be cautious when granting NFC access to applications.

Tech Optimizer

October 23, 2025

Delete the fake VPN app stealing Android users’ money

Malware targeting Android devices has become more sophisticated, with cybercriminals deploying fake banking applications and phishing campaigns. A recently identified dangerous app, Mobdro Pro IP TV + VPN, introduces a malware strain called Klopatra, which is used in campaigns against financial institutions. This app appears to be a free streaming platform but installs a banking Trojan and remote-access tool, allowing attackers to steal banking credentials and conduct fraudulent transactions. The infection process involves social engineering tactics to trick users into downloading the app from unofficial sources, and Klopatra can bypass Android's security measures. The rise of fake VPNs, like Mobdro, poses a significant risk, as many users rely on VPNs for privacy and security. Users are advised to take protective measures, including downloading apps only from trusted sources, checking app permissions, using secure VPNs, installing strong antivirus software, monitoring accounts, removing suspicious apps, keeping devices updated, changing passwords, enabling two-factor authentication, and reporting malicious apps.

AppWizard

October 16, 2025

Pixnapping: Side-Channel Vulnerability Allows Android Apps to Capture Sensitive Screen Data

A newly identified attack method called Pixnapping poses a significant threat to Android devices by allowing malicious applications to capture on-screen information from other apps through pixel stealing. This attack affects various applications, including Signal, Google Authenticator, and Venmo. Pixnapping occurs when a user installs a malicious app that uses Android APIs to launch a target application, capturing sensitive information displayed on the screen by exploiting a side channel. The attack utilizes the GPU.zip side-channel vulnerability, prevalent in modern GPUs from manufacturers like AMD, Apple, Arm, Intel, Qualcomm, and Nvidia. Currently, there are no mitigation strategies available for developers against Pixnapping, which can lead to the theft of locally stored secrets, such as two-factor authentication codes. The GPU.zip vulnerability was disclosed in 2023 and remains unaddressed by GPU vendors.

AppWizard

October 15, 2025

Google has patched ‘Pixnapping’ attack in Android, further fix with December security update

Google has acknowledged a significant vulnerability affecting secure applications like Authenticator and Signal, caused by a technique called "Pixnapping." This vulnerability has been exploited on Google Pixel devices and Samsung Galaxy smartphones. It takes advantage of weaknesses in the Android operating system, particularly through the Android Intent system, allowing malicious apps to request sensitive information from targeted apps. The vulnerability enables the extraction of sensitive pixels, which can be accessed via another vulnerability known as GPU.zip. The research team that discovered Pixnapping demonstrated the exploit on multiple Google Pixel models (Pixel 9, Pixel 8, Pixel 7) and a Samsung Galaxy S25. Google was alerted to the issue in February 2025 and released a partial fix in its September security update. However, a workaround for the CVE-2025-48561 vulnerability remains undisclosed and unaddressed in the current update. Google plans to issue an additional patch in the December security update and has stated that there have been no confirmed real-world exploitations of the vulnerability.

AppWizard

October 14, 2025

New Android Pixnapping attack steals MFA codes pixel-by-pixel

A new side-channel attack called Pixnapping allows malicious Android applications to extract sensitive data without permissions by stealing pixels displayed by applications or websites. This attack can reveal private information, including chat messages from secure apps like Signal, emails from Gmail, and two-factor authentication (2FA) codes from Google Authenticator. Developed by a team of researchers, Pixnapping works on fully patched modern Android devices and can exfiltrate 2FA codes in under 30 seconds. Google attempted to address this vulnerability (CVE-2025-48561) in a September update, but the researchers bypassed these measures. A more robust solution is expected in the December 2025 Android security update. The attack begins with a malicious app exploiting Android’s intents system to launch a target app or webpage, processed by the system’s composition engine, SurfaceFlinger. The malicious app identifies target pixels by executing graphical operations and uses a 'masking activity' to conceal the target app. The attacker modifies the cover window to display all opaque white pixels except for the chosen transparent pixel. The isolated pixels are enlarged using a stretch-like effect when applying blur, and an OCR-style technique is then used to recover the pixels. The researchers utilized the GPU.zip side-channel attack to leak visual information, achieving a data leakage rate of 0.6 to 2.1 pixels per second, allowing sensitive data extraction in less than 30 seconds. Pixnapping was demonstrated on various devices, including Google Pixel and Samsung Galaxy models running Android versions 13 through 16, indicating that older Android versions are also at risk. An analysis of nearly 100,000 Play Store apps revealed hundreds of thousands of invocable actions through Android intents, highlighting the broad applicability of the attack. Examples of potential data theft include: - Google Maps: Timeline entries can take around 20–27 hours to recover. - Venmo: Account-balance regions can leak in approximately 3–5 hours. - Google Messages: Recovery requires roughly 11–20 hours. - Signal: Recovery takes about 25–42 hours, effective even with Screen Security enabled. Both Google and Samsung plan to address these vulnerabilities by the end of the year, but no GPU chip vendor has announced plans to patch the GPU.zip side-channel attack. Although the original exploit method was mitigated in September, an updated attack has successfully bypassed the fix. Google has indicated that exploiting this data leak requires specific information about the targeted device, resulting in a low success rate, and current assessments found no malicious apps on Google Play exploiting the Pixnapping vulnerability.