modus operandi Archives

AppWizard

November 3, 2025

Hack alert as Android users warned to uninstall these risky apps

HUMAN's Satori Threat Intelligence and Research Team has identified and dismantled an ad fraud scheme called SlopAds, linked to 224 applications that have over 38 million downloads from Google Play across 228 countries. The perpetrators used techniques like steganography to embed fraudulent payloads in apps, creating hidden WebViews that redirected users to cashout sites for generating illegitimate ad impressions and clicks. Google has removed all identified malicious applications and will notify affected users to uninstall them. Users are encouraged to enable Google's Play Protect feature to prevent future threats. Ad fraud poses risks to advertisers and developers by tricking ad networks into accepting fraudulent ads. Invalid traffic can arise from developers using prohibited ad practices, undermining trust in the mobile advertising ecosystem. Users are advised to uninstall flagged applications to protect their devices.

AppWizard

September 23, 2025

Hundreds of Android apps infested with cyber attack with users told to delete immediately

Android users are facing a security threat from a campaign aimed at extracting personal and financial information through a form of ad fraud called SlopAds, which has affected 224 Android applications with over 38 million downloads from the Google Play Store. Attackers embed corrupted advertisements in these apps, degrading device performance and generating revenue through fraudulent ad impressions and clicks. The malicious apps use steganography to conceal their activities, creating hidden WebViews that redirect users to hacker-controlled sites. Google has removed the identified malicious applications from the Play Store and will alert users to uninstall them. Security experts recommend enabling Google’s Play Protect feature to safeguard against harmful applications. Ad fraud undermines the integrity of the advertising ecosystem, harming reputable advertisers and developers. Users are advised to act promptly on notifications regarding infected applications to maintain device security.

Tech Optimizer

August 14, 2025

Beware of this Android antivirus. It actually steals data, records audio, and tracks you

LunaSpy is a deceptive antivirus application that spreads primarily through Telegram and is not available on the official Google Play Store. It masquerades as a legitimate antivirus program, claiming to protect online banking activities. Upon installation, it conducts a superficial scan and displays false warnings to instill fear, prompting users to grant extensive permissions. Once installed, it can invade personal data, access banking information, record audio and video, steal passwords, read SMS messages, track locations, and has been found to include a command for photo theft. Users are advised to avoid downloading LunaSpy and to exercise caution with applications from social networks or unofficial sources, relying instead on verified antivirus solutions from official app stores.

Winsage

August 8, 2025

Hackers can bypass Microsoft Defender to install ransomware on PCs

A significant vulnerability in Microsoft Defender has been identified, allowing hackers to bypass the software and deploy Akira ransomware. This vulnerability exploits the legitimate driver rwdrv.sys, associated with the Intel CPU tuning tool ThrottleStop, granting cybercriminals kernel-level access to a target PC. Once access is obtained, hackers can introduce the driver hlpdrv.sys to manipulate the Windows Registry, disabling Microsoft Defender's protective measures. GuidePoint Security has noted that this method has been increasingly used in Akira ransomware attacks since July of this year. Users are advised to use reputable antivirus software and keep it updated to protect against such threats.

Winsage

August 5, 2025

How Can An Image Become A Weapon? Unpacking the RoKRAT Threat To Windows Users

Cybercriminals are using a sophisticated attack method involving a remote access trojan called RoKRAT, which is embedded within standard JPEG image files. This technique, a variant of steganography, allows the malware to evade detection by conventional security systems. The attack is linked to an advanced persistent threat group known as APT37. The process involves embedding a malicious module within a JPEG file, which, when opened, triggers the malware to inject its code into the MS Paint application. Researchers found that the RoKRAT module is often concealed in images downloaded from cloud storage services, complicating detection efforts. Authorities are warning users to exercise caution with files from unverified sources and to keep their security systems updated.

AppWizard

July 30, 2025

Google Urges Android Users to Quickly Delete These Apps from Their Phones!

A recent alert has been issued for Android smartphone users about malicious applications found on the Google Play Store that pose significant risks to user security and personal data. Cybersecurity firm Cyble has identified over twenty deceptive apps, many mimicking well-known wallet and cryptocurrency applications, which redirect users to phishing sites that collect sensitive information, including banking and cryptocurrency credentials. Users are advised to uninstall specific harmful apps such as Pancake Swap, Suiet Wallet, Hyperliquid, Raydium, BullX Crypto, OpenOcean Exchange, Meteora Exchange, SushiSwap, and Harvest Finance Blog. Google recommends using the “Play Protect” feature to scan downloaded apps for safety.

Tech Optimizer

May 26, 2025

This Stealthy Malware Takes Control of Your Computer to Steal Your Data

Skitnet is a new malware that targets personal data by stealthily infiltrating computer systems. It is used by hackers to steal sensitive information through advanced methods, including the insertion of invisible malicious code in emails and the creation of fraudulent websites. Cybersecurity experts from PRODAFT have revealed that Skitnet is often employed by ransomware groups and can remotely control infected computers using services like AnyDesk. The malware operates discreetly, monitoring user actions without detection for extended periods, making it difficult for victims to realize they are infected until after data theft occurs. To protect against such threats, security specialists recommend identifying suspicious emails, using reliable antivirus software, and enhancing account security with two-step verification and strong passwords.

AppWizard

May 9, 2025

These dangerous Android apps are installed 2.5 million times each month

Kaleidoscope is an ad-fraud attack targeting Android users by exploiting legitimate applications on the Google Play Store and offering malicious duplicates through third-party app stores. Approximately 2.5 million devices are affected monthly, with 20% of incidents occurring in India, and other impacted regions include Indonesia, the Philippines, and Brazil. Users unknowingly download legitimate-looking apps while malicious versions circulate elsewhere, leading to intrusive advertisements that disrupt user experience and generate revenue for cybercriminals. Google has removed flagged titles from the Play Store and is enhancing protections, but ad resellers often fail to properly vet their inventory. The adware causes device overheating, rapid battery drain, and sluggish performance, highlighting the need for user vigilance.

Winsage

March 7, 2025

Akira Ransomware Targets Windows Servers via RDP and Evades EDR with Webcam Trick

The Akira ransomware group has demonstrated its ability to bypass Endpoint Detection and Response (EDR) tools by exploiting an unsecured webcam. In 2024, Akira was responsible for 15% of ransomware incidents addressed by the S-RM team. The group typically gains access through remote access solutions and uses tools like AnyDesk.exe. In a recent attempt to deploy ransomware on a Windows server, their initial effort was thwarted by EDR detection. Subsequently, they conducted an internal network scan and targeted a vulnerable webcam, which lacked EDR protection. By compromising the webcam, Akira deployed Linux-based ransomware to encrypt files across the victim’s network. This incident highlights the need for organizations to patch and manage IoT devices, audit networks for vulnerabilities, implement network segmentation, and monitor IoT traffic for anomalies.

AppWizard

February 25, 2025

Popular Android financial help app is actually dangerous malware

Cybersecurity researchers discovered a predatory loan application called SpyLoan on the Google Play Store, which targeted Indian consumers and achieved around 100,000 downloads before being removed. The app presented itself as a financial management tool but required extensive permissions, accessing sensitive user information. User reviews indicated experiences of blackmail and low loan amounts. SpyLoan falsely claimed affiliation with a registered non-banking financial company and redirected users to download a separate loan application from an external site, circumventing some Google safeguards. Google confirmed the app's removal and stated that Android devices are protected against known malware through Google Play Protect.