mobile security Archives

AppWizard

September 16, 2025

SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids

A significant ad fraud and click fraud scheme known as SlopAds has been uncovered, involving a network of 224 applications that have collectively garnered 38 million downloads across 228 countries. The Satori Threat Intelligence and Research Team at HUMAN reported that these apps utilize steganography to embed hidden WebViews that redirect users to cashout sites controlled by the fraudsters, generating fraudulent ad impressions and clicks. At its peak, the SlopAds campaign was responsible for 2.3 billion bid requests daily, primarily from the United States (30%), India (10%), and Brazil (7%). Google has removed all implicated apps from the Play Store. The SlopAds scheme features conditional execution, where the ad fraud module, FatModule, is downloaded only if the app was installed following an ad click. The FatModule is concealed within four PNG image files and gathers device and browser information while executing ad fraud through hidden WebViews. Cashout mechanisms include HTML5 game and news websites owned by the threat actors, which monetize ad impressions and clicks. Approximately 300 domains promoting SlopAds apps have been identified, linking back to a secondary domain, ad2[.]cc, serving as a Tier-2 command-and-control server.

AppWizard

September 9, 2025

New RatOn Android Malware Targets Banking Apps and Crypto Wallets via NFC Attacks

A new strain of Android malware called RatOn was identified on July 5, 2025, targeting banking applications and cryptocurrency wallets, particularly in the Czech Republic. It integrates near-field communication (NFC) relay attacks with automated transfer system (ATS) capabilities, allowing attackers to hijack devices and execute unauthorized transactions. RatOn builds on tactics from previous malware like PhantomCard and employs overlay attacks to capture user credentials. It gains root-level access through vulnerabilities such as KernelSU, enabling call hijacking to bypass two-factor authentication. RatOn specifically targets local banking applications and cryptocurrency wallets, scanning for wallet apps and extracting private keys. Defending against RatOn involves enabling app sideloading restrictions, using reputable antivirus software, and monitoring NFC settings, while banks are enhancing anomaly detection systems. The emergence of RatOn raises concerns about mobile security globally, with calls for stricter app store vetting and improved NFC protocols. Experts predict that future malware will increasingly use AI-driven adaptations, complicating detection efforts.

AppWizard

September 6, 2025

AI Uncovers 100+ Zero-Day Vulnerabilities in Android Apps

A team of researchers has developed an automated system using AI to identify vulnerabilities in Android applications, successfully detecting over 100 zero-day flaws in production apps. This system automates traditional vulnerability detection tasks, utilizing machine learning to analyze app behaviors, permissions, and data flows. The AI's ability to uncover critical issues, such as insecure data storage and improper API implementations, highlights the limitations of current app security protocols. While the technology shows promise, it faces challenges such as the potential for imprecise bug reports and ethical considerations regarding vulnerability ownership and disclosure methods. Experts predict that automated systems like this will become integral to app development workflows by 2025, enhancing the security of mobile applications.

AppWizard

September 2, 2025

Android Droppers Evolve from Banking Trojans to Spyware Threats

Android droppers, originally designed to deploy banking Trojans, are now being repurposed to deliver simpler payloads like SMS stealers and spyware. There has been a notable increase in dropper campaigns, especially in Asia, shifting focus from financial malware to broader data exfiltration and surveillance. These droppers often masquerade as legitimate applications, gaining user permissions to install secondary malware that can read SMS messages, which is critical for hijacking two-factor authentication. Google is enhancing Android security with mandatory developer verifications by 2026, but droppers like SecuriDropper can evade detection through dropper-as-a-service models. Campaigns such as LunaSpy exploit messaging apps to deliver spyware disguised as antivirus software, increasing infection rates. Over 200 banking and cryptocurrency applications are potentially at risk due to these threats. To mitigate these risks, enterprises are encouraged to implement multi-layered defenses and proactive monitoring of app behaviors. The adaptive nature of droppers poses ongoing challenges for mobile security.

AppWizard

September 1, 2025

Android Droppers Now Deliver SMS Stealers and Spyware, Not Just Banking Trojans

Recent research indicates a shift in the Android malware ecosystem, with dropper apps now being used to distribute simpler malware like SMS stealers and basic spyware, particularly in regions such as India and Asia. This change is attributed to enhanced security measures by Google, which aim to prevent the sideloading of harmful applications that request sensitive permissions. Attackers are adapting by designing droppers that avoid high-risk permissions and present users with innocuous update screens to bypass security scans. Notable dropper apps identified include RewardDropMiner, which has been linked to spyware and a Monero miner, and other variants like SecuriDropper and Zombinder. Google has stated that it has not found any applications using these techniques in the Play Store and continues to enhance its security measures. Additionally, Bitdefender Labs has warned of a campaign using malicious ads on Facebook to promote a fake premium version of the TradingView app, which deploys the Brokewell banking trojan to extract sensitive information from users' devices.

AppWizard

August 30, 2025

Threat Actors Use Facebook Ads to Deliver Android Malware

Cybercriminals are increasingly targeting mobile devices with a sophisticated Android banking trojan disguised as a free TradingView Premium app, as reported by Bitdefender Labs. Since July 22, 2025, at least 75 Facebook ads have promoted this fake application, reaching tens of thousands of users in the European Union by August 22. The ads use official TradingView branding and redirect desktop users to benign content while leading mobile users to a cloned website to download an infected APK file. The trojan, which is an evolved version of the Brokewell spyware, requests extensive permissions under the guise of a fake update and can perform various malicious activities, including crypto theft, 2FA bypass, account takeover, surveillance, SMS interception, and remote control. The application employs obfuscation techniques and communicates via Tor and secure WebSocket channels. This campaign is part of a broader malvertising operation that previously targeted desktop users and is localized in multiple languages. Bitdefender Mobile Security identifies the dropper as Android.Trojan.Dropper.AVV and the payload as Android.Trojan.Banker.AVM. Users are advised to only install apps from official stores, scrutinize ads, review app permissions, and use trusted security solutions to mitigate risks.

AppWizard

August 26, 2025

77 Malicious Android Apps With 19M Installs Targeted 831 Banks Worldwide

Zscaler’s ThreatLabz team identified 77 malicious applications on the Google Play Store with over 19 million installations, which target financial institutions and compromise user data. A new variant of the Anatsa banking trojan, also known as TeaBot, now targets over 831 banks globally, up from 650, and has expanded its reach to countries like Germany and South Korea. Many of these apps disguise themselves as document readers, with some exceeding 50,000 downloads. The malware downloads the Anatsa payload after installation and uses Android’s Accessibility Services to automate malicious activities, including stealing financial information and facilitating fraudulent transactions. The malware employs techniques to evade detection, such as obfuscating its code and using corrupted ZIP archives. The most prevalent Android malware identified was Joker, found in nearly 25% of the analyzed applications, known for stealing contacts and device data. A smaller subset of apps contained “maskware,” which engages in credential theft and personal data collection.

AppWizard

August 25, 2025

Corporate Leaders Targeted by Android Spyware Masquerading as Security Apps

Security experts at Doctor Web have identified a sophisticated Android spyware campaign targeting Russian business leaders, utilizing malware named Android.Backdoor.916. First detected in January 2025, this malware is distributed through APK files disguised as security applications, particularly under the name GuardCB, which mimics the emblem of the Central Bank of the Russian Federation. Other variants include “SECURITY_FSB” and “FSB,” and the app interface is exclusively in Russian. The malware is disseminated via private messages on popular messaging platforms, avoiding official app stores. Upon installation, it simulates device scans and generates fictitious threat reports while activating extensive spyware modules that request permissions for geolocation, camera and microphone usage, SMS and contact access, call logs, and background operation. It can transmit SMS messages, upload contact lists, forward call history and location data, and exfiltrate media. It also enables real-time audio streaming, video capture, and screen activity monitoring, using Accessibility Service to maintain a keylogger for intercepting sensitive content from various applications. Control over the malware is maintained through a modular system that reconnects to the command server every minute, with fallback connectivity options to multiple hosting providers. The malware is designed for targeted cyber-espionage rather than mass infections, focusing on corporate executives and business figures. Doctor Web's antivirus solutions for Android can detect and eliminate known variants of this backdoor, highlighting the vulnerability of high-value individuals to mobile spyware disguised as legitimate applications. Experts recommend enhancing mobile security policies and educating high-risk employees about social engineering tactics.

Tech Optimizer

August 24, 2025

New Android malware poses as antivirus from Russian intelligence agency

A new strain of Android malware, named 'Android.Backdoor.916.origin,' has emerged from Russia's Federal Security Services (FSB) and targets executives in Russian businesses. Identified by Dr. Web, this malware is a standalone entity with no ties to previous malware families. It has capabilities including monitoring conversations, streaming video from the camera, logging user input, and exfiltrating data from messaging applications. Since its detection in January 2025, it has shown multiple iterations, indicating ongoing enhancements. The malware is specifically designed for Russian enterprises, using the Russian language in its interface and employing branding efforts that impersonate the Central Bank of Russia and the FSB. The malware masquerades as an antivirus tool but lacks protective features, simulating scans that yield false positives. It requests high-risk permissions such as geo-location access, SMS and media file access, and camera and audio recording capabilities. Once installed, it can exfiltrate SMS messages, contacts, call history, geo-location data, and stored images, activate the microphone and camera, capture text input from messaging and browser applications, and execute shell commands. It can switch between 15 different hosting providers, indicating resilience and adaptability. Dr. Web has made the complete indicators of compromise related to this malware available on their GitHub repository.

AppWizard

August 12, 2025

This so-called Android ‘antivirus’ is just a front for spyware

LunaSpy is an Android spyware that has been circulating since February 2025, primarily infiltrating devices through messaging platforms like Telegram. It disguises itself as a legitimate antivirus or banking protection app, tricking users into granting extensive permissions by initiating a fake virus scan and presenting false notifications of threats. Once installed, LunaSpy can steal passwords from browsers and messaging apps, record audio and video, access text messages, track geographical location, and execute commands on the device. The spyware also contains dormant code that may allow it to steal photos in future updates. Data collected by LunaSpy is sent to attackers via around 150 servers. Users are advised against downloading APKs from links shared through messaging apps and should uninstall any unfamiliar antivirus applications that request extensive access to their devices.