malicious application Archives

Winsage

October 22, 2025

Critical Windows SMB vulnerability being actively exploited in attacks

The United States’ Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about a critical security vulnerability in the Windows SMB protocol, identified as CVE-2025-33073, which allows attackers to escalate their privileges to SYSTEM level. All versions of Windows Server, Windows 10, and Windows 11 up to version 24H2 are affected. Microsoft addressed this issue in June 2025 during its Patch Tuesday updates. The vulnerability arises from inadequate access control, enabling authenticated attackers to elevate their privileges by deceiving victims into connecting to a malicious server. Information about this vulnerability was public at the time of the patch, but Microsoft has not confirmed any active exploitation. CISA has mandated that U.S. federal agencies must secure their systems by November 10 and encourages the private sector to address the vulnerability as well. Organizations should prioritize installing the June 2025 security updates.

AppWizard

October 16, 2025

Pixnapping: Side-Channel Vulnerability Allows Android Apps to Capture Sensitive Screen Data

A newly identified attack method called Pixnapping poses a significant threat to Android devices by allowing malicious applications to capture on-screen information from other apps through pixel stealing. This attack affects various applications, including Signal, Google Authenticator, and Venmo. Pixnapping occurs when a user installs a malicious app that uses Android APIs to launch a target application, capturing sensitive information displayed on the screen by exploiting a side channel. The attack utilizes the GPU.zip side-channel vulnerability, prevalent in modern GPUs from manufacturers like AMD, Apple, Arm, Intel, Qualcomm, and Nvidia. Currently, there are no mitigation strategies available for developers against Pixnapping, which can lead to the theft of locally stored secrets, such as two-factor authentication codes. The GPU.zip vulnerability was disclosed in 2023 and remains unaddressed by GPU vendors.

AppWizard

October 15, 2025

Think You’re Safe? Hackers Can Now Peek at Every Password You Type on Android

Android smartphones are being targeted by malware named "Pixnapping," which uses pixel-stealing technology to extract information directly from the screen without requiring elevated permissions. This malware captures repeated background screenshots to read pixels, allowing it to surveil sensitive information such as messages, passwords, and two-factor authentication (2FA) codes. The extracted data is transmitted to a remote server controlled by attackers, enabling them to infiltrate accounts and perform actions like altering settings or making purchases. The malware's effectiveness varies by device, with a recovery rate of 53% for 2FA codes on the Pixel 9 and 73% on the Pixel 6. A vulnerability in Android APIs, designated as CVE-2025-48561, is exploited by this malware. Google was notified of the vulnerability in February and issued a partial fix in September, but the issue remains unresolved. Users are advised to keep their devices updated, enable built-in protections, avoid unverified apps, and consider hardware-based two-factor authentication for enhanced security.

AppWizard

October 15, 2025

GhostBat RAT Android Malware Poses as Fake RTO Apps to Steal Banking Data from Indian Users

The GhostBat RAT campaign employs sophisticated malware distribution techniques, utilizing infection vectors such as WhatsApp, SMS with shortened URLs, GitHub-hosted APKs, and compromised websites to deliver malicious Android droppers. These droppers utilize multi-stage workflows, ZIP header manipulation, and string obfuscation to evade detection. The malware includes tools for stealing banking credentials and cryptocurrency miners, directing victims to phishing pages resembling the mParivahan app to collect sensitive information. SMS messages with banking keywords are exfiltrated to command and control servers, while incoming messages may be forwarded for OTP harvesting. Device registration occurs through a Telegram bot named GhostBatRat_bot. In July 2024, Android malware impersonating Regional Transport Office applications was documented, designed to steal contacts and SMS messages. Observations from September 2025 revealed over forty samples propagating through WhatsApp and SMS, ultimately delivering a malicious version of the mParivahan app. The malware initiates phishing activities by requesting SMS permissions and harvesting banking credentials. VirusTotal detections for the malware remain low due to its multi-layered dropper mechanisms and obfuscation techniques. The architecture of GhostBat RAT features multi-stage dropper workflows, native binary packing, and heavy string obfuscation. The first-stage dropper verifies device architecture and manufacturer, while subsequent stages decrypt and execute payloads, including a cryptominer library and a malicious APK for data theft. Victims encounter a counterfeit Google Play update page, leading to the installation of the malicious APK, which requests SMS permissions and presents a phishing interface. Users are prompted to enter their UPI PIN into a fake payment flow, which forwards the PIN to a Firebase endpoint. The campaign highlights the need for careful SMS permission management and vigilance against shortened URLs to combat emerging Android malware threats.

AppWizard

October 15, 2025

Google has patched ‘Pixnapping’ attack in Android, further fix with December security update

Google has acknowledged a significant vulnerability affecting secure applications like Authenticator and Signal, caused by a technique called "Pixnapping." This vulnerability has been exploited on Google Pixel devices and Samsung Galaxy smartphones. It takes advantage of weaknesses in the Android operating system, particularly through the Android Intent system, allowing malicious apps to request sensitive information from targeted apps. The vulnerability enables the extraction of sensitive pixels, which can be accessed via another vulnerability known as GPU.zip. The research team that discovered Pixnapping demonstrated the exploit on multiple Google Pixel models (Pixel 9, Pixel 8, Pixel 7) and a Samsung Galaxy S25. Google was alerted to the issue in February 2025 and released a partial fix in its September security update. However, a workaround for the CVE-2025-48561 vulnerability remains undisclosed and unaddressed in the current update. Google plans to issue an additional patch in the December security update and has stated that there have been no confirmed real-world exploitations of the vulnerability.

AppWizard

October 14, 2025

New Pixnapping Android Flaw Lets Rogue Apps Steal 2FA Codes Without Permissions

Recent findings reveal a vulnerability in Android devices from Google and Samsung that allows a sophisticated side-channel attack known as Pixnapping, enabling malicious actors to extract sensitive information such as two-factor authentication (2FA) codes and Google Maps timelines without user awareness. Pixnapping is a pixel-stealing framework that targets Android devices, circumventing browser protections and accessing data from non-browser applications like Google Authenticator. The attack exploits Android APIs and a hardware side-channel, allowing a malicious app to capture 2FA codes quickly. The study focused on devices running Android versions 13 to 16, with uncertainty regarding vulnerabilities in devices from other manufacturers. The attack can be executed by any Android app without special permissions, relying on user installation of the malicious app. It combines a previously disclosed vulnerability (GPU.zip) with Android's window blur API to leak rendering data. The attack manipulates the rendering pipeline to steal pixels from target apps. Three critical factors contribute to Android's susceptibility: the ability to send another app's activities to the rendering pipeline via intents, induce graphical operations on another app's pixels, and measure pixel color-dependent side effects from these operations. Google is tracking this issue as CVE-2025-48561, with a CVSS score of 5.5. Patches were released in the September 2025 Android Security Bulletin, but a workaround may re-enable Pixnapping. The vulnerability also allows attackers to determine installed applications on a device, bypassing restrictions from Android 11. Google has categorized this app list bypass as "won't fix."

AppWizard

October 14, 2025

No fix yet for attack that lets hackers pluck 2FA codes from Android phones

A new attack method called Pixnapping has been developed, allowing malicious applications to capture sensitive information like two-factor authentication (2FA) codes and location data in under 30 seconds without requiring system permissions. This attack has been successfully demonstrated on devices such as the Google Pixel and Samsung Galaxy S25, and it can adapt to other models. Despite Google's release of mitigations, modified versions of the attack remain effective. The malicious app prompts targeted applications to display sensitive information, which it can then capture by mapping graphical operations to screen coordinates. Information not displayed on the screen, such as secret keys within an app, is secure from this attack. Pixnapping is similar to a previous attack called GPU.zip, which exploited vulnerabilities in graphics processing units (GPUs) to extract sensitive visual data, and the weaknesses exploited by GPU.zip have not been fixed.

AppWizard

September 6, 2025

Google recommends what Android users should do next with two serious flaws exploited

The Android ecosystem is facing security challenges due to vulnerabilities CVE-2025-38352 and CVE-2025-48543. CVE-2025-38352 is a critical flaw in the Android Kernel related to alarm clock management, allowing potential exploitation for elevated system controls. Google has released a patch in the September 2025 security update, and users should check their device's security status to ensure it is updated. CVE-2025-48543 affects the Android Runtime (ART), enabling unauthorized access through malicious applications. Google has warned that these vulnerabilities may have been exploited, particularly against journalists, government officials, and activists, without user interaction. Users are advised to update their devices, install the latest security updates, download apps only from trusted sources, and keep Google Play Protect enabled.

Winsage

August 19, 2025

Ransomware gang masking PipeMagic backdoor as ChatGPT desktop app: Microsoft

Microsoft has identified a sophisticated malware called PipeMagic, disguised as a ChatGPT desktop application, linked to the threat actor Storm-2460, who is preparing for ransomware attacks. This malware exploits a zero-day vulnerability (CVE-2025-29824) affecting the Windows Common Log File System Driver (CFLS), first disclosed in April. PipeMagic has targeted sectors such as information technology, financial, and real estate across the U.S., Europe, South America, and the Middle East. It emerged in 2022 during attacks on Asian entities and resurfaced in September 2024. Victims see a blank screen upon opening the malicious application, complicating detection. Hackers modified an open-source ChatGPT project to embed malicious code that activates the malware, allowing privilege escalation and ransomware deployment. Kaspersky reported that PipeMagic was used in a RansomExx ransomware campaign, and Symantec noted its exploitation by the Play ransomware group.

AppWizard

July 15, 2025

Konfety Android Malware on Google Play Uses ZIP Manipulation to Imitate Legitimate Apps

Zimperium’s zLabs security research team has identified a new variant of the Konfety Android malware, which employs advanced evasion techniques to bypass security analysis tools while executing fraudulent advertising operations globally. The Konfety malware family, first recognized during a mobile advertising fraud campaign in 2024, initially involved over 250 decoy applications on the Google Play Store and was responsible for 10 billion fraudulent ad requests daily. The malware uses sophisticated ZIP-level manipulation tactics to disrupt analysis tools, including misleading the General Purpose Flag within the APK’s ZIP structure to trigger password prompts and declaring an unsupported compression method in the AndroidManifest.xml file to crash analysis tools. Additionally, it utilizes dynamic code loading and obfuscation to hide malicious functionality, embedding executable code within encrypted assets and maintaining a benign appearance during installation. The malware has developed a command-and-control infrastructure that initiates contact through a sequence of network requests after user agreement acceptance. It also employs stealth techniques to conceal its application icon and name, complicating user identification and removal. Behavioral detection systems can identify malicious activity by monitoring application behavior patterns and network communications.