malware Archives

AppWizard

June 16, 2026

50+ Samsung Galaxy Store apps spread phone malware

Samsung's Galaxy Store had over 50 applications that unknowingly distributed a hidden Android trojan named MagicAd, which has since been removed. Users who downloaded these apps may still have the malware on their devices, as it establishes persistent background services that remain after the app is uninstalled and hides its icon. Signs of infection include unsolicited ads, battery drain, and unexplained data usage. The malware evades detection by assessing its environment and concealing its core code in encrypted files. Developers rotated the infected apps to maintain persistence and generated revenue through fraudulent ad impressions. Users are advised to run security scans and consider a factory reset if symptoms persist, ensuring to back up important files without including app settings. No app store can guarantee the exclusion of all threats, so users should check ratings and download counts before installing applications.

AppWizard

June 16, 2026

New Rokarolla Android Malware Steals PINs, SMS Codes, and Crypto Wallet Funds

Security researchers at Zimperium's zLabs have identified a new Android banking trojan named Rokarolla, which can target 217 banking and cryptocurrency applications and execute 137 remote commands. The malware spreads through deceptive websites that impersonate popular apps, installing a dropper that mimics Google Play Protect to gain Accessibility access. It uses overlay techniques to capture sensitive information by displaying counterfeit login pages and can intercept SMS messages, including one-time codes from banks. Rokarolla also features a keylogger, screen logger, and can rewrite clipboard contents to divert cryptocurrency payments. It employs advanced methods for discreet data capture and has multiple fallback command-and-control domains, making it resilient against takedowns. There is no patch available for this malware, and users are advised to install apps only from Google Play and remain cautious of unexpected Accessibility requests. Zimperium's products can detect this malware, and indicators of compromise are available on their GitHub repository.

Winsage

June 16, 2026

China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

Cybersecurity researchers have identified two new Windows variants of the SprySOCKS backdoor, named WINDRV and WINPLUS, which were previously thought to be exclusive to Linux systems. Both variants feature hard-coded command-and-control configurations and can communicate via TCP, UDP, and WebSocket protocols. They support over 30 commands for operations such as system information collection and file management. WINDRV employs kernel drivers for stealth, obscuring network connections and allowing TCP traffic diversion. SprySOCKS was first documented by Trend Micro in September 2023, linked to the Chinese state-sponsored threat actor Earth Lusca, also known as FishMonger. The Windows variants belong to version 1.8 of SprySOCKS and utilize a kernel driver named RawWNPF for enhanced stealth. The attack chain begins with an initial access method that drops a batch script, leading to the installation of the backdoor. Evidence suggests these variants may have been used in attacks against government organizations in Honduras, Taiwan, Thailand, and Pakistan between 2023 and 2024. The WINPLUS variant was first detected in July 2024 in Pakistan. There are indications of a potential UEFI bootkit involvement exploiting CVE-2023-24932, a vulnerability in the Windows Boot Manager.

Tech Optimizer

June 16, 2026

Subscription twist: Norton 360 Deluxe adds more than just antivirus

Norton 360 Deluxe is a mid-tier security subscription from Gen Digital that offers antivirus protection, a VPN, a password manager, dark web monitoring, and parental controls for up to five devices. It includes real-time threat protection, a firewall, ransomware shielding, and cloud backup of up to 50 GB for Windows users. The parental controls, known as Norton Family, allow monitoring of children's online activities. The Secure VPN encrypts internet traffic on public Wi-Fi and masks IP addresses. The package also features PC SafeCam for webcam security and a smart firewall. Norton 360 Deluxe is marketed with a promotional first-year rate, with higher renewal prices, and is available through digital subscriptions, app stores, and major retailers. The product is designed for households and individuals seeking comprehensive security solutions.

Tech Optimizer

June 15, 2026

How to safely stay online while travelling

Traveling exposes individuals to potential cyber threats and scams. To enhance online security during travels, consider the following strategies: - Avoid using public Wi-Fi networks to protect sensitive information; instead, use mobile data or a global eSIM. - Use a Virtual Private Network (VPN) to conceal your IP address while browsing, but be aware of potential access restrictions on some websites. - Invest in a robust antivirus suite for all devices, including laptops and mobile phones. - Secure devices with login passwords and consider adding a password to your SIM card. - Enable two-factor authentication (2FA) for added security on accounts. - Research local scams and cybersecurity threats specific to your destination before traveling. - Keep apps and phone firmware updated to ensure the latest security enhancements.

AppWizard

June 15, 2026

Over 50 Android Apps Found Spreading MagicAd Trojan via Official Stores

A trojan named Android.MagicAd.1 has been identified as a significant threat to Android users, capable of delivering persistent background advertisements by circumventing built-in defenses. Detected in 2025, it has spread through over 50 infected games and utility applications, infiltrating both dubious download sites and official app stores like the Samsung Galaxy Store and Xiaomi’s GetApps. The malware employs a strategy of rotating applications to evade detection, remaining active on user devices after download. It uses hidden, encrypted components within native code libraries and conducts environment checks to avoid monitoring before launching its payload. Android.MagicAd.1 bypasses Android's restrictions by targeting trusted system applications, utilizing methods that vary by device manufacturer. For example, it uses a delayed system command on Xiaomi and Amazon devices, exploits Android Binder on Vivo devices, and employs a universal fallback method for other brands to gain priority for displaying ads. All identified malicious applications have been removed from official stores, but the campaign highlights the vulnerability of security software.

Winsage

June 15, 2026

Microsoft released the Windows 11 Secure Boot update for all PCs, how to verify yours

Microsoft has expanded the rollout of the Secure Boot 2023 certificate update to more Windows 11 and Windows 10 devices with the June 2026 Patch Tuesday update (KB5094126). This update aims to ensure that most supported consumer PCs are classified as high confidence, meaning necessary certificates are either installed or will be applied automatically. Secure Boot is a firmware security feature that verifies the software attempting to load during the startup process, blocking unauthorized software. The certificates supporting Secure Boot, issued in 2011, are expiring in stages starting June 24, 2026, prompting Microsoft to deploy replacement certificates. Most home users do not need to take manual action as the updates will occur automatically via Windows Update. Users can check their Secure Boot certificate status in the Windows Security app. A yellow warning indicates pending compatibility data, while a red alert suggests a firmware incompatibility requiring a BIOS update. Multiple reboots during the update process are normal, and a new SecureBoot folder in Windows is for staging cryptographic files. Older PCs may experience longer update times, and some may not receive updates due to firmware issues. HP users should check for BIOS updates if encountering BitLocker recovery loops. IT administrators should monitor device classifications and manually initiate updates for devices not in the high confidence category. Devices with Secure Boot disabled cannot receive updates, leaving them vulnerable. The expiration of the Microsoft Corporation KEK CA 2011 certificate on June 24 does not immediately affect device functionality, but it limits Microsoft's ability to sign new bootkit blacklist updates.

Tech Optimizer

June 14, 2026

Avast Free Antivirus: classic security staple for everyday PCs

Avast Free Antivirus is a free antivirus solution for Windows PCs developed by Avast (Gen Digital). It provides essential malware protection, real-time scanning, and web safety features without requiring a paid subscription. Users in the U.S. can download it from the official Avast website and install it on compatible Windows systems. The software identifies and blocks viruses, spyware, ransomware, and other forms of malware using signature-based detection and cloud-assisted analytics. It includes features such as real-time protection, on-demand scanning, an email shield, a Wi-Fi inspector, and behavior shields. Avast Free Antivirus offers automatic updates to ensure current protection against emerging threats. It serves as a gateway product to Avast's paid tiers, which offer additional features. The software is primarily aimed at home users who need basic antivirus protection and is available for free personal use.

Winsage

June 12, 2026

Hackers Use Fake Windows Update Installers to Deliver OnyxC2 Credential Stealer

OnyxC2 is a sophisticated credential stealer available for a subscription fee of 0 per month, distributed through disguised lures such as fake Windows updates and legitimate software installers. It functions as a commercial product with features like an automated payload builder, tiered licensing, and a centralized web dashboard. The malware boasts a 99% detection-evasion rate, successfully evading major antivirus solutions during tests. It is developed in C++, utilizing direct system calls and mutating with each build to avoid detection. OnyxC2 collects data from around 210 applications, targeting 45 web browsers, password managers, cryptocurrency wallets, and FTP clients. The malware is delivered using DLL sideloading, where a password-protected archive contains a legitimate application and a malicious DLL. The attacker's DLL is disguised by inflating its size and is loaded by a trusted binary. The malicious code remains encrypted on disk and decrypts in memory to evade analysis. OnyxC2 communicates with a Cloudflare-fronted command-and-control server to manage infected hosts and execute commands like hardware registration and cookie uploads. The threat extends to business environments, targeting FTP and email clients, with stolen session cookies allowing ongoing access to corporate infrastructure. Implementing anti-data exfiltration controls is recommended as a mitigation strategy.

Winsage

June 12, 2026

Microsoft’s bug-hunting nemesis extends vendetta with more zero-day attacks — Nightmare Eclipse publishes RoguePlanet and GreatXML local privilege escalation exploits

Nightmare-Eclipse, also known as Chaotic-Eclipse, has introduced two new exploits: RoguePlanet and GreatXML. RoguePlanet exploits a vulnerability in Windows Defender, allowing attackers to gain SYSTEM user access privileges by tricking a user into executing a script. This access enables attackers to execute commands beyond standard Administrator capabilities, siphon sensitive data, and install malware. GreatXML provides a method for bypassing BitLocker encryption by creating a specially crafted "unattend.xml" file and a "Recovery" directory on the Windows recovery partition. Microsoft has shifted its stance from threatening legal action against Eclipse and is now monitoring the situation, while Eclipse has postponed a planned mass disclosure of zero-day Windows vulnerabilities initially set for July 14 due to delays in developing RoguePlanet.