malicious app Archives

AppWizard

May 15, 2026

Android 16 VPN Bypass Lets Apps Reveal Users’ Real IP Address

A security vulnerability in Android 16 allows malicious applications to expose a user's real IP address, even with "Always-On VPN" and "Block connections without VPN" features activated. Discovered by security researcher 0x33c0unt and disclosed on April 30, 2026, the flaw exploits the registerQuicConnectionClosePayload feature, which lacks permission checks. This vulnerability has been verified on a Pixel 8 with Proton VPN active. Google has not released a patch, but users can disable the feature via ADB commands.

AppWizard

May 15, 2026

Android 16 Bug Allows Apps to Ignore VPNs and Leak IP Addresses

Android 16 may have a vulnerability that allows applications to bypass VPN protections, potentially exposing users' IP addresses. A security engineer reported this issue through Google’s Vulnerability Reward Program, but Google's security team deemed it "infeasible" to address. The vulnerability lies within the ConnectivityManager system service, which circumvents the VPN tunnel, leading to unencrypted traffic and exposure of sensitive information. This issue persists even with "Always-on VPN" or "Block connections without VPN" features enabled. Although there is no confirmed exploitation of this vulnerability, it poses ongoing risks for users. GrapheneOS has patched the issue, indicating a fix is possible. A debug command has been identified as a temporary workaround for affected users, but it requires caution and understanding of USB debugging mode.

AppWizard

April 28, 2026

10,000 Users Exposed As Fake Document Reader App Delivers Anatsa Banking Trojan

Security researchers from ThreatLabz discovered a malicious document reader app on the Google Play Store that delivered the Anatsa Android banking trojan. The app, which had over 10,000 downloads before its removal, disguised itself as a legitimate file management tool using the package name com.groundstation.informationcontrol.filestationbrowsefilesreaddocs. It employed a "dropper" technique to hide its malicious code, connecting to an external server to retrieve the malware payload after installation. Anatsa is designed to steal financial information by overlaying a fake login screen over legitimate banking apps, capturing user credentials and enabling unauthorized transactions. Users are advised to delete the app and monitor their financial accounts. Technical indicators for identifying infections include the Anatsa Installer SHA256 (5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20), Payload URL (http://23.251.108[.]10:8080/privacy.txt), Payload SHA256 Hash (88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f), and Command and Control servers (http://172.86.91[.]94/api/ and http://193.24.123[.]18:85/api/).

AppWizard

March 6, 2026

Research company claims spyware posing as Israel’s Red Alert Android app targeting users

Acronis Threat Research Unit (TRU) has uncovered a cyber espionage campaign targeting Israeli civilians through a fake version of the Red Alert app. The attack begins with a deceptive text message claiming to be from Israel's Home Front Command, urging users to download an updated app due to a malfunction. The fraudulent app closely resembles the legitimate Red Alert app but contains malware that collects sensitive personal information, including messages, contacts, location data, and device account details. This data is stored locally and then transmitted to a remote server controlled by the attackers. The hackers use certificate spoofing and other techniques to bypass Android's security measures, making the malicious app appear legitimate. Cybersecurity experts recommend that Israeli users take precautions to protect their personal information.

AppWizard

February 19, 2026

PromptSpy Android Malware Abuses Google Gemini to Automate Recent-Apps Persistence

Cybersecurity researchers have identified a new Android malware named PromptSpy that utilizes Google's Gemini AI chatbot to enhance its capabilities and persistence on infected devices. PromptSpy can capture lockscreen data, obstruct uninstallation, gather device information, take screenshots, and record screen activity. It integrates Gemini to analyze the current screen and provide instructions to keep the malware active in the recent apps list. The malware uses a hard-coded AI model and communicates with a command-and-control server via the VNC protocol, allowing remote access to the victim's device. It is financially motivated, targeting users in Argentina, and was developed in a Chinese-speaking environment. PromptSpy is distributed through a dedicated website and is considered an advanced version of a previously unidentified malware called VNCSpy.

Tech Optimizer

February 18, 2026

Fake Antivirus Program Threatens Android Phones and Steals Data – Jordan News | Latest News from Jordan, MENA

Cybersecurity experts have identified a malicious campaign targeting Android users through a counterfeit antivirus application called TrustBastion. This app serves as a vehicle for distributing malware that steals personal and banking information and provides attackers with remote access to infected devices. TrustBastion has been found on Hugging Face, complicating detection for users. The app masquerades as a legitimate security tool, prompting users to install a “necessary update” that contains malicious code. Once activated, the malware captures screenshots, displays fake login pages for financial services, and records sensitive information, which is sent to the hackers' servers. Attackers frequently re-upload modified versions of the app, maintaining its harmful functionality. Users are advised to download apps only from official stores, review ratings, and avoid untrusted APK files. Installing reputable antivirus solutions and activating Google Play Protect is recommended for enhanced security.

Tech Optimizer

December 30, 2025

How to Run an iPhone Malware Scan: Find and Remove Viruses

iPhones do not support traditional antivirus applications due to iOS's app sandboxing feature, which limits apps' access to system-level data. Users can identify potential malware by monitoring for unusual behaviors, such as overheating, fast battery drain, unexpected data usage spikes, unwanted Safari pop-ups, unfamiliar apps, repeated login prompts, and strange messages sent from their accounts. To investigate for malware, users should check device performance, review storage and data usage, monitor battery usage, and look for jailbreak indicators. If malware is suspected, users can take steps such as updating iOS and apps, restarting the device, deleting suspicious apps, clearing Safari data, removing unknown profiles, resetting network settings, restoring from a clean backup, or performing a factory reset as a last resort. iOS includes built-in protections against malware, such as App Store reviews, sandboxing, code signing, and regular security updates. However, iPhones are not completely immune to threats, and jailbreaking increases vulnerability. To protect against malware, users should keep iOS and apps updated, use strong passcodes, avoid jailbreaking, be cautious with links and attachments, use secure browsers, and consider using a VPN on public Wi-Fi. CyberGhost VPN can provide additional security on unsecured networks by encrypting internet traffic. While iPhones do not have built-in malware scanners, they incorporate various protections to prevent malware from reaching the device. Signs of potential malware include overheating, rapid battery drain, unexpected data usage spikes, and unusual app behavior. Malicious apps can occasionally bypass App Store scrutiny, and users should take immediate action if they suspect an infection. Generally, iPhones are considered more secure than Android devices due to stricter app controls.

AppWizard

December 18, 2025

Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

A new Android malware campaign has been launched by the North Korean threat actor Kimsuky, introducing a variant called DocSwap. This malware is distributed via QR codes on phishing websites that impersonate CJ Logistics. Attackers use QR codes and notification pop-ups to lure victims into downloading the malware, which decrypts an embedded APK and activates Remote Access Trojan (RAT) capabilities. The malicious app is disguised as a legitimate application to bypass Android's security measures. Victims are tricked into installing the app through smishing texts or phishing emails that mimic delivery companies. The app downloads an APK named "SecDelivery.apk," which then loads the malware. It requests permissions to access various device functions and registers a service that simulates an OTP authentication screen. The app connects to an attacker-controlled server, allowing execution of commands such as logging keystrokes, capturing audio, and gathering sensitive information. Additionally, two other malicious samples have been identified, disguised as a P2B Airdrop app and a trojanized version of the BYCOM VPN app. The campaign also includes phishing sites mimicking popular South Korean platforms to capture user credentials.

AppWizard

November 29, 2025

The Spy in Your Pocket: How Ordinary Android Apps Are Turning Into Dangerous Spyware

Numerous commonly used Android applications, often appearing harmless, can contain malicious code that functions as spyware. These applications, which include phone cleaners, file managers, and wallpaper apps, can record screens, capture keystrokes, access microphones and cameras without consent, and transmit data to unknown servers. Uninstalling these apps may not eliminate the threat, as they can remain hidden. Users often grant unnecessary permissions to these apps, inadvertently allowing cybercriminals access to personal data. Recent cybersecurity assessments indicate a rise in mobile malware attacks, particularly in India, where weak enforcement and low awareness contribute to the problem. Spyware can drain device resources, leading to rapid battery depletion and lagging performance. Additionally, these apps can steal personal information, enabling identity theft and ongoing repercussions. Trusting apps solely based on their presence in the Play Store is a misconception, as modern spyware can bypass initial checks. To stay safe, users should verify developers, decline unnecessary permissions, conduct security scans, avoid third-party APKs, and keep their devices updated.

AppWizard

November 13, 2025

Google will let ‘experienced users’ keep sideloading Android apps

Google is revising its approach to app installation on Android devices, particularly for applications from unverified developers. Initially, a stringent verification requirement was announced, mandating developers to disclose personal information, which faced backlash for undermining user autonomy. Despite this, Google has introduced a more flexible option for “experienced users” to install apps from unverified sources with protective measures and warnings about potential risks. Additionally, a new type of developer account for students and hobbyists will bypass the comprehensive verification process, allowing easier access for emerging developers with restrictions on app installations. The verification process rollout is set for 2026 in select countries, with global expansion planned for 2027. Google is also navigating a settlement with Epic Games that may reduce developer fees and allow officially recognized third-party app stores.