malicious app Archives

AppWizard

November 29, 2025

The Spy in Your Pocket: How Ordinary Android Apps Are Turning Into Dangerous Spyware

Numerous commonly used Android applications, often appearing harmless, can contain malicious code that functions as spyware. These applications, which include phone cleaners, file managers, and wallpaper apps, can record screens, capture keystrokes, access microphones and cameras without consent, and transmit data to unknown servers. Uninstalling these apps may not eliminate the threat, as they can remain hidden. Users often grant unnecessary permissions to these apps, inadvertently allowing cybercriminals access to personal data. Recent cybersecurity assessments indicate a rise in mobile malware attacks, particularly in India, where weak enforcement and low awareness contribute to the problem. Spyware can drain device resources, leading to rapid battery depletion and lagging performance. Additionally, these apps can steal personal information, enabling identity theft and ongoing repercussions. Trusting apps solely based on their presence in the Play Store is a misconception, as modern spyware can bypass initial checks. To stay safe, users should verify developers, decline unnecessary permissions, conduct security scans, avoid third-party APKs, and keep their devices updated.

AppWizard

November 13, 2025

Google will let ‘experienced users’ keep sideloading Android apps

Google is revising its approach to app installation on Android devices, particularly for applications from unverified developers. Initially, a stringent verification requirement was announced, mandating developers to disclose personal information, which faced backlash for undermining user autonomy. Despite this, Google has introduced a more flexible option for “experienced users” to install apps from unverified sources with protective measures and warnings about potential risks. Additionally, a new type of developer account for students and hobbyists will bypass the comprehensive verification process, allowing easier access for emerging developers with restrictions on app installations. The verification process rollout is set for 2026 in select countries, with global expansion planned for 2027. Google is also navigating a settlement with Epic Games that may reduce developer fees and allow officially recognized third-party app stores.

AppWizard

November 5, 2025

6 Android apps reportedly recording users’ conversations

Recent investigations have identified a series of malicious Android applications capable of spying on users by extracting messages from platforms like WhatsApp and Signal, and recording conversations without consent. One such app, WaveChat, can capture background audio even when the microphone is not in use. These apps deploy a remote access trojan (RAT) called VajraSpy and are primarily targeting users in India and Pakistan, with only about 1,400 downloads noted. A total of 12 spyware apps were identified, including six available on the Google Play Store. These include Privee Talk, MeetMe*, Let’s Chat, Quick Chat, Rafaqat رفاق, and Chit Chat. Users are advised to be cautious about app permissions and to download applications only from reputable sources. ESET researchers also discovered two spyware apps posing as the Android Signal app, targeting users in the United Arab Emirates. One malicious app exploited the popularity of a Pakistani cricket player, although he is not involved in the malicious activity. The development of these spyware apps is attributed to Patchwork APT.

AppWizard

October 30, 2025

NFC Relay Attack: 700+ Android Apps Harvest Banking Login Details

Researchers at zLabs have identified over 760 malicious Android applications that exploit Near Field Communication (NFC) technology to steal banking credentials and facilitate fraudulent transactions. This cybercrime campaign has expanded from isolated incidents in April 2024 to a widespread operation targeting financial institutions in countries including Russia, Poland, the Czech Republic, Slovakia, and Brazil. The malware utilizes social engineering tactics by impersonating around 20 legitimate banking institutions and government services, such as VTB Bank, Tinkoff Bank, and the Central Bank of Russia. The malware ecosystem is supported by over 70 command-and-control servers and private Telegram channels for data exfiltration. Attackers deceive victims into granting dangerous NFC permissions, allowing the malware to intercept payment data during contactless transactions. Some campaigns use paired applications for data extraction and fraudulent purchases, while others focus solely on data exfiltration. The malware maintains communication with its command-and-control infrastructure, enabling real-time relay attacks to conduct transactions using victims' payment credentials. The rapid spread of this NFC-based payment malware highlights the adaptability of cybercriminals as contactless payment technologies become more common. Financial institutions are urged to enhance fraud detection systems, mobile device manufacturers should tighten NFC permission controls, and users are advised to be cautious when granting NFC access to applications.

Tech Optimizer

October 23, 2025

Delete the fake VPN app stealing Android users’ money

Malware targeting Android devices has become more sophisticated, with cybercriminals deploying fake banking applications and phishing campaigns. A recently identified dangerous app, Mobdro Pro IP TV + VPN, introduces a malware strain called Klopatra, which is used in campaigns against financial institutions. This app appears to be a free streaming platform but installs a banking Trojan and remote-access tool, allowing attackers to steal banking credentials and conduct fraudulent transactions. The infection process involves social engineering tactics to trick users into downloading the app from unofficial sources, and Klopatra can bypass Android's security measures. The rise of fake VPNs, like Mobdro, poses a significant risk, as many users rely on VPNs for privacy and security. Users are advised to take protective measures, including downloading apps only from trusted sources, checking app permissions, using secure VPNs, installing strong antivirus software, monitoring accounts, removing suspicious apps, keeping devices updated, changing passwords, enabling two-factor authentication, and reporting malicious apps.

AppWizard

October 16, 2025

Pixnapping: Side-Channel Vulnerability Allows Android Apps to Capture Sensitive Screen Data

A newly identified attack method called Pixnapping poses a significant threat to Android devices by allowing malicious applications to capture on-screen information from other apps through pixel stealing. This attack affects various applications, including Signal, Google Authenticator, and Venmo. Pixnapping occurs when a user installs a malicious app that uses Android APIs to launch a target application, capturing sensitive information displayed on the screen by exploiting a side channel. The attack utilizes the GPU.zip side-channel vulnerability, prevalent in modern GPUs from manufacturers like AMD, Apple, Arm, Intel, Qualcomm, and Nvidia. Currently, there are no mitigation strategies available for developers against Pixnapping, which can lead to the theft of locally stored secrets, such as two-factor authentication codes. The GPU.zip vulnerability was disclosed in 2023 and remains unaddressed by GPU vendors.

AppWizard

October 15, 2025

Google has patched ‘Pixnapping’ attack in Android, further fix with December security update

Google has acknowledged a significant vulnerability affecting secure applications like Authenticator and Signal, caused by a technique called "Pixnapping." This vulnerability has been exploited on Google Pixel devices and Samsung Galaxy smartphones. It takes advantage of weaknesses in the Android operating system, particularly through the Android Intent system, allowing malicious apps to request sensitive information from targeted apps. The vulnerability enables the extraction of sensitive pixels, which can be accessed via another vulnerability known as GPU.zip. The research team that discovered Pixnapping demonstrated the exploit on multiple Google Pixel models (Pixel 9, Pixel 8, Pixel 7) and a Samsung Galaxy S25. Google was alerted to the issue in February 2025 and released a partial fix in its September security update. However, a workaround for the CVE-2025-48561 vulnerability remains undisclosed and unaddressed in the current update. Google plans to issue an additional patch in the December security update and has stated that there have been no confirmed real-world exploitations of the vulnerability.

AppWizard

October 14, 2025

New Android Pixnapping attack steals MFA codes pixel-by-pixel

A new side-channel attack called Pixnapping allows malicious Android applications to extract sensitive data without permissions by stealing pixels displayed by applications or websites. This attack can reveal private information, including chat messages from secure apps like Signal, emails from Gmail, and two-factor authentication (2FA) codes from Google Authenticator. Developed by a team of researchers, Pixnapping works on fully patched modern Android devices and can exfiltrate 2FA codes in under 30 seconds. Google attempted to address this vulnerability (CVE-2025-48561) in a September update, but the researchers bypassed these measures. A more robust solution is expected in the December 2025 Android security update. The attack begins with a malicious app exploiting Android’s intents system to launch a target app or webpage, processed by the system’s composition engine, SurfaceFlinger. The malicious app identifies target pixels by executing graphical operations and uses a 'masking activity' to conceal the target app. The attacker modifies the cover window to display all opaque white pixels except for the chosen transparent pixel. The isolated pixels are enlarged using a stretch-like effect when applying blur, and an OCR-style technique is then used to recover the pixels. The researchers utilized the GPU.zip side-channel attack to leak visual information, achieving a data leakage rate of 0.6 to 2.1 pixels per second, allowing sensitive data extraction in less than 30 seconds. Pixnapping was demonstrated on various devices, including Google Pixel and Samsung Galaxy models running Android versions 13 through 16, indicating that older Android versions are also at risk. An analysis of nearly 100,000 Play Store apps revealed hundreds of thousands of invocable actions through Android intents, highlighting the broad applicability of the attack. Examples of potential data theft include: - Google Maps: Timeline entries can take around 20–27 hours to recover. - Venmo: Account-balance regions can leak in approximately 3–5 hours. - Google Messages: Recovery requires roughly 11–20 hours. - Signal: Recovery takes about 25–42 hours, effective even with Screen Security enabled. Both Google and Samsung plan to address these vulnerabilities by the end of the year, but no GPU chip vendor has announced plans to patch the GPU.zip side-channel attack. Although the original exploit method was mitigated in September, an updated attack has successfully bypassed the fix. Google has indicated that exploiting this data leak requires specific information about the targeted device, resulting in a low success rate, and current assessments found no malicious apps on Google Play exploiting the Pixnapping vulnerability.

AppWizard

October 14, 2025

Pixnapping revives a 12-year-old browser trick to steal Android pixels

Security researchers have revived a 12-year-old browser attack, now adapted for Android devices, called "Pixnapping," which allows malicious applications to extract pixel data from other apps or websites. The attack involves a malicious app opening a target application, such as Google Authenticator, and using timing tricks to infer displayed content by measuring rendering times based on specific pixels. This attack has been successfully demonstrated on devices including Google Pixel 6, 7, 8, and 9, and Samsung Galaxy S25, all running Android versions 13 to 16. Pixnapping does not require special manifest permissions, complicating detection. It can extract sensitive information from apps like Google Maps, Signal, and Venmo, and capture two-factor authentication codes from Google Authenticator. The mechanism enabling this attack is likely present across a broader range of devices, but the research does not provide specific defenses against it.

AppWizard

October 14, 2025

Severe Pixel vulnerability lets apps leak on-screen data like 2FA codes, Google working on December fix

A new class of Android attacks called Pixnapping allows installed applications to monitor the content displayed by other apps without requesting permissions. This attack can capture sensitive information, including Gmail previews, Google Maps timelines, and two-factor authentication codes, by exploiting Android’s rendering APIs and a hardware side channel. Pixnapping operates by manipulating Android intents to funnel pixels from a target app into the system's rendering pipeline, using timing variations from GPU compression to recover text. The attack has been demonstrated on various devices, including Google Pixel models 6 through 9 and the Samsung Galaxy S25. In February 2025, the vulnerability was disclosed to Google, which assigned it a CVE-2025-48561 rating and classified it as high risk. A patch was released in September, but a workaround was found, leading to ongoing collaboration with Google and Samsung for further fixes. Users are advised to maintain good app hygiene, avoid unknown APKs, and promptly install security updates. The researchers have not yet developed a universal mitigation app and advocate for platform-level fixes to address the vulnerabilities.