malware distribution Archives

AppWizard

April 21, 2026

NGate Android malware uses HandyPay NFC app to steal card data

A new variant of the NGate malware targets Android users by disguising itself within a trojanized version of the HandyPay app, which is a legitimate mobile payment processing application. This malware, documented since mid-2024, siphons payment card information through the mobile device's near-field communication (NFC) chip and sends the stolen data directly to attackers, who create virtual cards for unauthorized purchases or cash withdrawals from NFC-enabled ATMs. The new variant has been injected with malicious code into the HandyPay app, which has been available on Google Play since 2021. The code includes emojis, indicating the possible use of a generative AI tool in its development. The shift from previous iterations, which used an open-source tool named NFCGate, to HandyPay is likely motivated by financial considerations and the need for evasion, as HandyPay is more affordable and requires fewer permissions. This NGate variant has been active since November 2025, primarily targeting Android devices in Brazil. It employs two main distribution methods: a counterfeit app named “Proteção Cartão” hosted on a fraudulent Google Play page and a fake lottery website that redirects users to WhatsApp to download the malicious APK. Upon installation, the app prompts users to set it as their default NFC payment application, requests their card PIN, and instructs them to tap their card on the phone for reading, transmitting all collected information to an attacker's email address. To protect against such threats, Android users are advised to avoid downloading APKs from outside Google Play, disable NFC when not in use, and use Play Protect to scan for threats.

AppWizard

April 21, 2026

New NGate Android malware variant uses NFC app to steal card data

A new variant of the NGate Android malware exploits a legitimate NFC payment app, HandyPay, to steal users' card information and PINs, enabling unauthorized contactless transactions. This malicious version of HandyPay, which has been available since 2021, was identified by ESET researchers and is distributed through a fraudulent lottery website and a fake Google Play page. The malware captures sensitive information by prompting users to enter their payment card PIN and tap their card against the device, sending the data to an attacker-controlled phone and exfiltrating the PIN to a command-and-control server. The campaign employs social engineering tactics and requires minimal permissions, relying on users to enable app installations from unknown sources. The attackers use a centralized infrastructure for malware distribution and PIN collection, with evidence of compromised devices in Brazil. The shift to modifying a legitimate application is motivated by financial incentives, as it offers similar functionality at a lower cost compared to underground tools. Users are advised to avoid installing apps from unofficial sources and to ensure the legitimacy of applications before entering sensitive information.

AppWizard

March 20, 2026

Google eases Android app sideloading rules after

Google is implementing a policy change to allow easier installation of Android applications from sources outside its Play Store, following an antitrust settlement. This includes an "advanced flow" option that lets users bypass mandatory app verification safeguards through a structured process. The changes aim to balance user choice with protections against scams and malware risks. Previously, Google required all Android applications to be registered by verified developers to mitigate risks like malware and fraud. The new process requires users to enable developer mode, restart their devices, and undergo a waiting period of up to 24 hours before verifying their identity with biometrics or a PIN to install apps from unverified developers. Users can install these apps temporarily for up to seven days or indefinitely, with ongoing warning prompts. Additionally, Google is offering free, limited app distribution accounts for students and hobbyists to share apps without full developer verification.

AppWizard

March 20, 2026

Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams

Google has introduced a new "advanced flow" for Android sideloading, which includes a mandatory 24-hour waiting period for users installing applications from unverified developers. This follows a developer verification mandate requiring all Android applications to be registered by verified developers to help identify malicious actors and reduce malware distribution. The new sideloading protocol aims to mitigate risks from cybercriminals who may deceive users into disabling Play Protect, Google's anti-malware feature. Over 50 app developers and marketplaces, including F-Droid and Brave, have expressed concerns about the registration requirements, arguing they could create barriers and raise privacy issues. Google has outlined a one-time process for sideloading apps, which includes enabling developer mode, confirming voluntary sideloading, restarting the device, waiting 24 hours, and using biometric authentication or a PIN to install apps. Google plans to introduce free "limited distribution accounts" for hobbyist developers and students to share apps with up to 20 devices without needing government-issued IDs or registration fees. This process will not apply to installations via the Android Debug Bridge (ADB) and is set to be available in August 2026, ahead of new developer verification requirements. This announcement comes as a new Android malware, Perseus, targets users in Turkey and Italy, with at least 17 distinct Android malware families identified in the past four months.

AppWizard

March 19, 2026

New Android malware hiding in streaming apps to spy on users’ personal notes

Researchers have discovered a sophisticated malware called Perseus that targets Android users by disguising itself within television streaming applications to steal sensitive information, including passwords and banking details. This malware, reported by ThreatFabric, primarily affects users in Turkey and Italy and is based on the leaked code of previous Android banking trojans, particularly Cerberus. Perseus masquerades as IPTV service apps, often downloaded from unofficial sources, and employs overlay attacks and keylogging techniques to capture user credentials. It specifically targets personal note-taking applications like Google Keep, Evernote, and Simple Notes to extract sensitive information stored within them. The malware landscape is evolving, with new threats like the banking trojan Herodotus and the Crocodilus variant, which can manipulate contact lists. Users are advised to be cautious when downloading applications from unofficial sources.

Winsage

February 20, 2026

Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets

Attackers are using social media advertising, specifically paid Facebook ads, to promote a malware campaign disguised as legitimate Microsoft promotions. They create near-exact replicas of the official Windows 11 download page to lure users into downloading malicious software. The deceptive domains used include ms-25h2-download[.]pro and ms-25h2-update[.]pro. The malware campaign employs geofencing to selectively target victims, redirecting security researchers to benign sites while delivering malware to unsuspecting users. The malicious file, named ms-update32.exe, is hosted on GitHub and mimics the size of a legitimate Windows installer. Once executed, it checks for monitoring tools and, if none are detected, installs an application named "Lunar" that collects sensitive data, including cryptocurrency wallet information. The malware maintains persistence by writing data to the Windows registry and employs various obfuscation techniques to evade detection. The attackers run parallel ad campaigns with different Facebook Pixel IDs to ensure continued operation even if one is suspended. Indicators of compromise include specific file hashes, domains, file system artifacts, and registry keys associated with the malware.

Tech Optimizer

January 30, 2026

When Digital Guardians Turn Rogue: Inside the Avast Antivirus Supply Chain Attack That Exposed Millions

Avast's automatic update system was compromised, allowing malicious code to be distributed through its official channels, affecting potentially millions of users. This breach is characterized as a sophisticated supply chain attack, which exploited the software update mechanism, making it difficult to detect as the malware appeared legitimate. Security analysts noted a 300% increase in supply chain attacks over the past three years, with this incident highlighting vulnerabilities in security solutions. Avast has initiated an incident response, revoked compromised digital certificates, and is collaborating with cybersecurity firms to address the breach. European regulators have begun inquiries into Avast's data protection measures, and legal experts anticipate class-action lawsuits from affected users. The incident underscores a trend of attackers targeting security infrastructure itself, prompting calls for improved software distribution security and industry-wide standards.

Winsage

December 4, 2025

Microsoft Patches Widely Exploited Windows LNK Zero-Day

Cybercriminals are exploiting a vulnerability in Windows LNK (.lnk shortcut) files, identified as CVE-2025-9491, to deliver malware in targeted attacks. This flaw allows attackers to hide malicious commands within shortcut files, which execute when a user opens the crafted shortcut, leading to malware installation. The vulnerability has been actively exploited by at least 11 threat actor groups, including Evil Corp and Mustang Panda, with malware such as Ursnif and Trickbot being delivered through this exploit. Microsoft released a patch for this vulnerability in November 2025 after initially delaying it, citing the need for user interaction to trigger the exploit. Security recommendations include avoiding suspicious .LNK files, implementing strict email filtering, and applying the latest security updates.

Winsage

November 17, 2025

Windows 10 update failure, autonomous AI cyberattack, Feds fumble Cisco patches

Microsoft has acknowledged an issue with the Windows 10 KB5068781 extended security update, which is failing to apply after installation for users with corporate licenses, resulting in a rollback. A group of hackers believed to be backed by China executed a large-scale cyberattack using Claude Code AI, targeting 30 organizations across various sectors. The Cybersecurity and Infrastructure Security Agency (CISA) reported that U.S. government agencies are struggling to patch critical vulnerabilities in Cisco devices amid the “Arcane Door” hacking campaign. Five individuals pleaded guilty to charges related to helping North Korean IT workers infiltrate 136 companies in the U.S. from September 2019 to November 2022. Port Alliance, a Russian port operator, reported disruptions due to a DDoS cyberattack targeting its operations related to coal and mineral fertilizer exports. DoorDash experienced a data breach on October 25, potentially affecting personal details of customers, Dashers, and merchants across the U.S. and Canada, traced back to a social engineering scam. North Korean hackers are using JSON storage services to host and deliver malware, approaching victims with job offers on platforms like LinkedIn. Jaguar Land Rover reported a financial impact of £196 million (0 million) from a cyberattack in September that forced production halts and compromised data.

AppWizard

November 15, 2025

Android’s Most Controversial Feature is Not Going Away—For Now

Google has decided to maintain the option for sideloading unverified apps on Android, despite initially planning to eliminate it. This decision follows backlash from developers and users. The new sideloading framework will cater to advanced users who can acknowledge the risks of installing unverified software. Google may enhance the Android Debug Bridge (ADB) tool to facilitate this process, which will include warnings about the risks. The changes aim to improve user safety by preventing regular users from installing unknown applications, as sideloading has been exploited for malware distribution. Google plans to roll out this feature early next year and encourages developers to enroll in a new identity verification system for apps distributed outside the Play Store. The verification process will be less rigorous for students and hobbyists to promote innovation while prioritizing safety.