malicious apps Archives

AppWizard

July 9, 2025

TapTrap Android Exploit Allows Malicious Apps to Bypass Permissions

A new Android vulnerability named TapTrap allows malicious applications to bypass the operating system's permission system without requiring special permissions. It exploits activity transition animations to mislead users into granting sensitive permissions or executing harmful actions. Researchers from TU Wien analyzed 99,705 applications on the Google Play Store and found that 76.3% are susceptible to this attack. TapTrap uses low-opacity animations (approximately 0.01 alpha) to make sensitive permission dialogs nearly invisible while still registering touch events. The attack can last up to six seconds and can lead to unauthorized access to critical functionalities like the camera and microphone, and even device administrator privileges. TapTrap bypasses existing defenses against tapjacking in Android, affecting popular web browsers as well. A user study showed that all participants failed to detect at least one variant of the attack. As of June 2025, Android 15 remains vulnerable, with no timeline for a comprehensive fix. The vulnerability has been assigned two CVEs, and researchers disclosed their findings to Google in October 2024. They propose solutions to mitigate the risks, including blocking touch events during low-opacity animations and setting an opacity threshold of 0.2.

AppWizard

July 9, 2025

Dangerous Android malware targets US banking apps – 50,000 people already affected, make sure you’re not next

A PDF reader app for Android, 'Document Viewer – File Reader', has been found to contain a banking trojan called Anatsa, introduced through a patch six weeks after its release. The app, published by 'Hybrid Cars Simulator, Drift & Racing', has over 50,000 downloads and specifically targets North American banking applications. Security researchers have noted a history of similar threats, with previous trojanized apps having significant download numbers. The Anatsa trojan scans for North American banking apps and overlays a deceptive interface to steal user credentials. Google has removed the app from the Play Store and advises users to uninstall it, conduct a system scan, and reset banking credentials. Google Play Protect provides automatic protection against malicious apps.

AppWizard

July 9, 2025

Android malware Anatsa infiltrates Google Play to target US banks

The Anatsa banking trojan has reappeared on Google Play as a PDF viewer app, accumulating over 50,000 downloads. It activates upon installation, targeting North American banking applications by presenting an overlay that allows unauthorized access, keylogging, and transaction automation. Researchers from Threat Fabric discovered that the app displays a fake notification about banking system maintenance to mask its activities. Anatsa has a history of infiltrating Google Play through various trojanized applications, with previous campaigns resulting in 300,000 downloads in November 2021, 30,000 in June 2023, and 150,000 in February 2024. In May 2024, Zscaler reported two new Anatsa applications on Google Play, achieving 70,000 downloads. The specific app identified is ‘Document Viewer – File Reader,’ published by ‘Hybrid Cars Simulator, Drift & Racing,’ which maintains a “clean” appearance until it builds a user base, after which malicious code is introduced via an update. Anatsa connects to a command-and-control server to monitor targeted applications. Google has removed the malicious app, advising users to uninstall it, scan their devices, and reset banking credentials. Users are encouraged to download apps only from reputable publishers and be cautious with permissions and reviews. Google Play Protect automatically protects users from known malicious apps.

AppWizard

July 4, 2025

Hundreds of Android apps band together in massive scam campaign targeting millions – here’s what we know

A significant ad fraud operation called the IconAds campaign has been uncovered by security researchers at HUMAN. This scheme involved hundreds of Android applications that displayed advertisements without user consent and concealed their icons on devices. The majority of traffic came from Brazil, Mexico, and the United States. Although Google has removed many of these malicious apps from the Play Store, the threat persists as cybercriminals adapt quickly, introducing new applications and using obfuscation techniques. The IconAds campaign has been active since 2019, highlighting ongoing risks to users. Users are advised to check download counts, read user reviews carefully, and examine reviewer accounts to protect against potential threats.

AppWizard

June 27, 2025

Your Android phone is getting a big security upgrade for free

Google has introduced various security features for Android users to protect against scams and malware. Key enhancements include: 1. Protection against scam calls with warnings and blocking actions related to disabling Google Play Protect, sideloading apps, and granting accessibility permissions. Screen sharing reminders will be provided on devices running Android 6 or higher. 2. In-call protections for banking apps, alerting users to potential risks when sharing screens with unknown callers, available for participating banks on devices running Android 11 or higher. 3. Improved scam detection in Google Messages, targeting various types of scams, including job scams, cryptocurrency scams, and technical support scams. 4. The Key Verifier tool for verifying contact identities through public encryption keys, ensuring private conversations. 5. Enhanced mobile theft protection with the Identity Check tool expanding to more devices running Android 16, reinforced protections against unauthorized factory resets, and hidden one-time passwords on the lock screen. 6. An Advanced Protection Program for targeted attacks, cryptographically verifying login operations on devices running Android 16. 7. Improvements to Google Play Protect, utilizing new on-device rules for malware detection and providing warnings about potentially malicious apps. 8. Ongoing commitment to enhancing overall Android security with each new version and updates to Google Play services.

AppWizard

June 19, 2025

Godfather Android malware now uses virtualization to hijack banking apps

A new iteration of the Android malware "Godfather" has emerged, utilizing advanced techniques to create isolated virtual environments on mobile devices for stealthy account data theft and transaction manipulation from legitimate banking applications. It targets over 500 banking, cryptocurrency, and e-commerce applications globally, employing a comprehensive virtual filesystem, virtual Process ID, intent spoofing, and a component called StubActivity. Godfather is delivered as an APK app with an embedded virtualization framework, scanning for installed target applications and launching them within its virtual environment. It intercepts user interactions with genuine banking apps, capturing sensitive data like credentials and PINs while presenting a legitimate interface. The malware can execute commands to unlock devices and initiate transactions while avoiding detection. Godfather first appeared in March 2021 and has evolved significantly since then, with the latest version representing a notable advancement over previous iterations. Users are advised to download apps only from trusted sources and remain cautious about app permissions to protect against this malware.

AppWizard

June 8, 2025

These apps tricked Google to list them in the Play Store and you must delete them from your phone

The Google Play Store has been infiltrated by deceptive applications that are part of a phishing campaign, as revealed by an investigation by Cyble. These applications mimic legitimate digital wallets, including names like SushiSwap, PancakeSwap, Hyperliquid, and Raydium, and have utilized over 50 domains to evade detection. The primary threat involves the extraction of users' mnemonic phrases, which are critical for accessing cryptocurrency and tokens. Users are advised to uninstall nine specific apps identified by Cyble: Pancake Swap, Suite Wallet, Hyperliquid, Raydium, BullX Crypto, OpenOcean Exchange, Meteora Exchange, SushiSwap, and Harvest Finance Blog, to protect their digital assets. Although many of these malicious apps have been removed from the Play Store, the risk persists for those who still have them installed.

AppWizard

June 3, 2025

Facebook, Yandex Apps Secretly Track Users Via Hidden Ports, Research Claims

Recent findings from IMDEA Networks Institute indicate that Facebook and Instagram apps have been tracking Android users' web browsing activities without consent, bypassing privacy controls and functioning even in incognito mode. This tracking affects millions of websites using Meta's tracking code. Yandex has employed similar tracking techniques since 2017, creating a cross-platform surveillance network. The tracking exploits Android’s permission system by establishing background services that listen on network ports, allowing the apps to capture browsing data and associate it with users' accounts. Meta's pixel is present on about 5.8 million websites, while Yandex Metrica is on around 3 million sites, potentially impacting billions of users. Approximately 78% of sites with Meta’s pixel and 84% of Yandex's sites attempted localhost communications without user consent. This tracking method operates at the operating system level, unaffected by cookie clearing, incognito modes, or privacy settings. Researchers have demonstrated that malicious apps could exploit this technique to gather users' browsing histories. Many website operators were unaware of these localhost communications, leading to confusion and complaints. In response, major browser vendors are implementing measures to block these tracking methods. Meta ceased this tracking on June 3rd, coinciding with the research's public release. The research highlights a significant security gap in mobile platforms regarding localhost communications, emphasizing the need for stricter policies and vetting processes.

AppWizard

June 2, 2025

Preinstalled Android Apps Found Leaking PINs and Executing Malicious Commands

On May 30, 2025, CERT Polska disclosed three security vulnerabilities affecting preinstalled Android applications on Ulefone and Krüger&Matz smartphones: CVE-2024-13915, CVE-2024-13916, and CVE-2024-13917. - CVE-2024-13915: The com.pri.factorytest application allows any app to invoke the FactoryResetService, enabling unauthorized factory resets due to improper export controls (CWE-926). - CVE-2024-13916: The com.pri.applock application exposes a public method that allows malicious apps to steal the user’s PIN, representing an exposure of sensitive system information (CWE-497). - CVE-2024-13917: The exported activity in com.pri.applock allows privilege escalation by enabling malicious apps to inject intents with system-level privileges if they have access to the compromised PIN (CWE-926). Users of affected devices are advised to seek firmware updates or mitigations from their vendors.

AppWizard

June 2, 2025

Vulnerabilities in Preinstalled Android Apps Expose PIN Codes and Allow Command Injection

Significant vulnerabilities have been identified in pre-installed applications on Ulefone and Krüger&Matz Android smartphones, disclosed on May 30, 2025. Three vulnerabilities affect these devices, including CVE-2024-13915, which targets the com.pri.factorytest application, allowing unauthorized factory resets. CVE-2024-13916 and CVE-2024-13917 affect the com.pri.applock application on Krüger&Matz smartphones, enabling malicious apps to extract user PIN codes and inject arbitrary intents. These vulnerabilities stem from improper export of Android application components, allowing malicious applications to bypass Android’s permission model. Users are advised to check for updates and consider disabling vulnerable applications.