malicious application Archives

AppWizard

March 17, 2025

If you have an Android device, you may be at risk – this malicious application steals all the information from your device

A spyware known as KoSpy, linked to North Korean hacking groups APT37 and APT43, was found disguised as a File Manager app on the Google Play Store. This malicious app accessed private data such as text messages, call logs, device location, stored files, and user keystrokes. It could also gather Wi-Fi network details, list installed applications, and record audio, capture images, and take screenshots without user awareness. The app was downloaded approximately a dozen times before Google removed it after security researchers raised concerns. Google Play Protect and additional security measures from smartphone manufacturers help protect Android devices from such threats. Users are advised to scrutinize app permissions and download apps from official sources to minimize risks.

AppWizard

March 12, 2025

Not for the first time: North Korean hackers used fake apps to spread spyware on Android

Malware, specifically a new spyware variant called KoSpy, has been linked to a North Korean hacking group known as ScarCruft (APT37). Researchers at Lookout Threat Lab discovered KoSpy concealed within deceptive applications like file managers and security software. Once installed, it can extract sensitive information such as SMS messages, call logs, device location, and access files. It can also record audio and video, capture screenshots, and log keystrokes. The data collected is transmitted to Command and Control servers encrypted with a hardcoded AES key and utilizes Firebase Firestore for configuration data. At least one malicious application associated with KoSpy was found on the Google Play Store, downloaded over ten times, and similar apps were also on third-party app store APKPure. Google has since removed the identified applications and deactivated the related Firebase projects.

AppWizard

March 6, 2025

Android App With 220,000+ Downloads From Google Play Installs Banking Trojan

A sophisticated Android banking trojan campaign, known as Anatsa or TeaBot, has been downloaded over 220,000 times from the Google Play Store before its removal. The malware targets global financial institutions using a multi-stage infection process, deploying fake login overlays and exploiting accessibility services to steal user credentials and perform unauthorized transactions. The malicious app disguised itself as a "File Manager and Document Reader" and acted as a dropper, retrieving additional payloads from remote servers. It uses reflection-based code execution to evade detection and conducts anti-emulation checks to confirm it is on a genuine device. Anatsa requests critical permissions, including accessibility services and SMS access, to log keystrokes and bypass two-factor authentication. The campaign primarily targets users in Europe, especially Slovakia, Slovenia, and Czechia, but has the potential to expand to markets like the U.S., South Korea, and Singapore. It targets over 600 banking and cryptocurrency applications, enabling on-device fraud through automated transaction systems. Users are advised to avoid sideloading apps, audit app permissions, and monitor for updates from official stores. Google has removed the identified dropper, but similar threats persist. Indicators of compromise include specific network URLs and an MD5 hash for a sample.

AppWizard

March 6, 2025

Malicious Android App on Google Play Compromises 220,000+ Devices

Security researchers at ThreatLabz have identified a malware campaign operating through the Google Play Store that disseminated the Anatsa banking trojan, also known as TeaBot. The malicious app, disguised as a file manager and document reader, was downloaded over 220,000 times before its removal. The app initiated a multi-stage payload retrieval process after users granted accessibility permissions, allowing it to download the Anatsa payload and turn infected devices into tools for financial fraud. Anatsa uses overlay attacks and credential harvesting techniques, displaying fake login screens for banking applications to capture user credentials. It targets financial institutions across North America, Europe, and Asia, particularly mobile banking platforms. The malware employs evasion techniques, including delayed activation and encrypted communication, and maintains persistence by checking for accessibility service permissions. Initial data indicates concentrated infections in regions with high mobile banking usage, and the app's multilingual interface suggests a global targeting strategy. Google removed the app within 48 hours of the disclosure but it had been present for approximately eight weeks before detection. Google has initiated a mass uninstallation campaign for affected devices, while users are advised to perform factory resets, monitor financial accounts, enable Google Play Protect, and avoid granting permissions to unfamiliar apps. Investigations are ongoing to identify the threat actors, with links to Eastern European cybercrime syndicates suggested.

AppWizard

February 9, 2025

Android’s Google Play Store bug shows repeat app updates

The Google Play Store is experiencing a bug that causes some Android users to receive repeated app update notifications for applications that are already up to date. This issue appears in the "Pending downloads" section, where affected apps show notifications for updates despite having the latest versions installed. Genuine pending updates display the update size and date, while these repeat notifications do not. Affected apps include Gboard, Google Messages, Pocket Casts, and The Athletic, which download minimal data (1 to 2 MB) without making any changes. Reports of this issue have surfaced previously, indicating it is a recurring problem, and Google has not issued an official statement regarding it.

AppWizard

December 23, 2024

Urgent Android warning for anyone who uses Amazon – delete dangerous app now

McAfee's security team discovered a malicious app named "BMI CalculationVsn" in Amazon's Android Appstore, which pretended to be a health tracker but was capable of screen recording, password theft, and accessing private SMS messages. Following the report, Amazon removed the app from its platform, and users who downloaded it are advised to uninstall it immediately. McAfee recommends that Android users install reliable antivirus software, scrutinize permission requests before downloading apps, and monitor app behavior for unusual activity to enhance their security.

AppWizard

December 20, 2024

Amazon Appstore used to spread Android malware — delete this malicious app right now

Researchers at McAfee Labs found a malicious app named BMI CalculationsVsn on the Amazon Appstore, disguised as a body mass index calculator. The app activates screen recording when users click the “Calculate” button, potentially capturing sensitive information. Although it was designed to record video, the developer had not implemented the capability to upload recordings. The app could still scan for installed applications and collect text messages. It was uploaded to the Amazon Appstore in early October and was removed after McAfee alerted Amazon. Users who installed it need to delete it manually.

Winsage

November 22, 2024

The official “Bing Wallpaper app” does some nasty, malware-like things to Windows

Microsoft has introduced the Bing Wallpaper app to the Windows Store, allowing users to update their desktop backgrounds daily with images from the Bing homepage. Concerns have been raised by developer Rafael Rivera regarding the app's security and privacy risks, including the automatic installation of Bing Visual Search, code for decrypting cookies from other browsers, integration of a geolocation web API, attempts to change default browser settings, and forced prompts to enable the Bing Search extension. Rivera has labeled the app as malicious and provided a list of extensions users may need to block. The online community has reacted negatively, with some users suggesting the possibility of a class action lawsuit. Alternatives to Bing Wallpaper exist that do not compromise user privacy, and Windows 11 offers built-in options for changing desktop backgrounds.

Tech Optimizer

November 22, 2024

Microsoft Defender Is Not Enough Anymore—This Malware Gets Around It

A victim lost over ,000 in cryptocurrency due to a malware attack that bypassed Microsoft Defender. The attacker persuaded the victim to download a malicious application disguised as a game called Orbit Unit via Telegram. The malware accessed the victim's Google passwords through an unlocked Bitwarden, compromising his cryptocurrency wallet. Despite having Malwarebytes installed, it did not provide real-time protection, only identifying the malware after the damage was done. Researchers confirmed that Microsoft Defender failed to block the malware or detect it once operational. The malware used PowerShell to execute scripts and installed a deceptive Chrome extension to steal credentials and manipulate browser activity. In tests, Malwarebytes with real-time protection blocked the malware, while Bitdefender prevented access to sensitive information. The malware did not execute if the user was located in Russia, Ukraine, or Belarus. SafetyDetectives advised against storing wallet passwords digitally and recommended using reputable antivirus software with real-time protection. They also suggested limiting cryptocurrency in browser wallets and using hardware wallets for significant amounts.

Winsage

November 15, 2024

November delivers a heap of Microsoft patches for admins

Microsoft released updates addressing 89 CVE-listed security vulnerabilities, including two actively exploited flaws: CVE-2024-49039 (Windows Task Scheduler, CVSS 8.8) allowing privilege escalation, and CVE-2024-43451 (NTLM spoofing, CVSS 6.5) enabling account impersonation. Other critical vulnerabilities include CVE-2024-43602 (Azure CycleCloud, CVSS 9.9) allowing remote code execution, CVE-2024-43498 (.NET and Visual Studio, CVSS 9.8) exploitable via malicious requests, and CVE-2024-43639 (Windows Kerberos, CVSS 9.8) leading to remote code execution. CISA added the Windows Task Scheduler and NTLMv2 vulnerabilities to its Known Exploited Vulnerabilities Catalog and reported an increase in zero-day exploitations in 2023 compared to 2022. Citrix, Intel, AMD, and Adobe also released patches for various vulnerabilities.