modus operandi Archives

AppWizard

May 11, 2026

Google warns 7 million Android users to delete these 28 fake apps

28 Android applications were removed from the Google Play Store after being identified as scams by security researchers at ESET. These apps, part of a campaign called “CallPhantom,” falsely claimed to provide access to private call logs, SMS records, and WhatsApp activity. They attracted millions of downloads despite lacking legitimacy, offering fabricated data such as fake phone numbers and bogus call durations. Some apps charged users for “detailed reports” that either never arrived or contained nonsensical information. The apps did not steal phone data or install malware but instead promised illicit access and generated fictitious data. The primary targets of this scam were users in India and the Asia-Pacific region.

AppWizard

May 8, 2026

Android alert: 7 million users downloaded ‘stalking’ apps that were actually scams

Security researchers at ESET uncovered a scam involving 28 applications named "CallPhantom," which collectively amassed over 7.3 million downloads on the Google Play Store. These apps promised access to call histories, SMS records, and WhatsApp call logs for any phone number, raising privacy concerns. They requested intrusive permissions from users' devices, leading to potential privacy violations. Payment structures varied, with some using Google Play's billing system and others circumventing it through third-party methods. ESET reported the apps to Google in December 2025, resulting in their removal from the Play Store. A recent search confirmed that these apps are no longer available.

AppWizard

March 21, 2026

FBI, CISA issue PSA on Russian intelligence campaign to target messaging apps

The FBI and CISA issued a joint public service announcement about Russian hackers targeting commercial messaging applications like Signal and WhatsApp. The hackers use social engineering tactics to deceive users into giving up account access, including impersonating support personnel and prompting users to click on malicious links or provide sensitive information. Although the hackers have not yet bypassed the apps' end-to-end encryption, compromised accounts can lead to serious consequences, such as reading messages and launching further phishing attacks. The agencies recommend that users enhance their cybersecurity measures to protect against these threats. This campaign is part of a broader trend to undermine the security of messaging apps, with previous warnings about spyware and attempts to infiltrate Signal users, especially in conflict zones.

AppWizard

March 19, 2026

RUSSIA Mammut virus hits Russia’s patriotic messaging app

A virus known as Mamont is targeting users of the messaging platform Max, which has 100 million registered profiles. Mamont infiltrates online banking applications and spreads primarily through family and parental chat groups, allowing cybercriminals to steal payment information. The virus often begins with a deceptive message prompting users to click, leading to the silent download of a Trojan that siphons off data. Despite claims from the Max press service that the virus's spread is exaggerated, concerns remain about the security of user data, particularly given that all communications on Max are monitored by the state. Many users resort to using a second device, referred to as Maxofon, to comply with the platform's requirements while keeping their primary device for other applications.

Winsage

March 6, 2026

Chinese hackers hide malware in Windows and Google Drive to hit targets

Chinese state-sponsored threat actors, specifically a group known as Silver Dragon, have been conducting espionage operations across Southeast Asia and Europe since at least mid-2024. They have targeted government entities in countries such as Russia, Poland, Hungary, Italy, Japan, Myanmar, and Malaysia. Silver Dragon is believed to be affiliated with APT41 and primarily uses phishing emails to initiate attacks, often containing weaponized documents or links. They employ a custom backdoor called GearDoor, which utilizes Google Drive for command-and-control operations, allowing them to exfiltrate stolen intelligence. The group also hijacks legitimate Windows services to load malicious code and uses tools like SSHcmd and Cobalt Strike for post-exploitation activities. Their tactics involve blending malicious activities with normal system operations, making detection difficult and increasing their dwell time within targeted networks.

AppWizard

January 30, 2026

Centre cracks down on Android scam; blocks fraud app, Telegram channels, warns users

The Indian government has taken action against the Wingo app, a cyber fraud network that sent fraudulent SMS messages from users' devices without consent. The app's digital infrastructure has been blocked, and four associated Telegram channels with 153,000 users have been shut down. Over 53 related videos have been removed from YouTube. The Wingo app lured users with promises of quick financial gains, encouraging them to deposit funds for minor tasks or investments, but then either shut down or blocked accounts after receiving money. Payments were made through UPI or personal wallets, complicating traceability. Users were asked for access to personal data and provided with fake customer care numbers. Android users are advised to avoid apps promising guaranteed profits, verify app legitimacy, and refrain from granting unnecessary permissions. The government recommends uninstalling suspicious apps and reporting them, as well as contacting the cybercrime helpline at 1930 for assistance.

AppWizard

November 3, 2025

Hack alert as Android users warned to uninstall these risky apps

HUMAN's Satori Threat Intelligence and Research Team has identified and dismantled an ad fraud scheme called SlopAds, linked to 224 applications that have over 38 million downloads from Google Play across 228 countries. The perpetrators used techniques like steganography to embed fraudulent payloads in apps, creating hidden WebViews that redirected users to cashout sites for generating illegitimate ad impressions and clicks. Google has removed all identified malicious applications and will notify affected users to uninstall them. Users are encouraged to enable Google's Play Protect feature to prevent future threats. Ad fraud poses risks to advertisers and developers by tricking ad networks into accepting fraudulent ads. Invalid traffic can arise from developers using prohibited ad practices, undermining trust in the mobile advertising ecosystem. Users are advised to uninstall flagged applications to protect their devices.

AppWizard

September 23, 2025

Hundreds of Android apps infested with cyber attack with users told to delete immediately

Android users are facing a security threat from a campaign aimed at extracting personal and financial information through a form of ad fraud called SlopAds, which has affected 224 Android applications with over 38 million downloads from the Google Play Store. Attackers embed corrupted advertisements in these apps, degrading device performance and generating revenue through fraudulent ad impressions and clicks. The malicious apps use steganography to conceal their activities, creating hidden WebViews that redirect users to hacker-controlled sites. Google has removed the identified malicious applications from the Play Store and will alert users to uninstall them. Security experts recommend enabling Google’s Play Protect feature to safeguard against harmful applications. Ad fraud undermines the integrity of the advertising ecosystem, harming reputable advertisers and developers. Users are advised to act promptly on notifications regarding infected applications to maintain device security.

Tech Optimizer

August 14, 2025

Beware of this Android antivirus. It actually steals data, records audio, and tracks you

LunaSpy is a deceptive antivirus application that spreads primarily through Telegram and is not available on the official Google Play Store. It masquerades as a legitimate antivirus program, claiming to protect online banking activities. Upon installation, it conducts a superficial scan and displays false warnings to instill fear, prompting users to grant extensive permissions. Once installed, it can invade personal data, access banking information, record audio and video, steal passwords, read SMS messages, track locations, and has been found to include a command for photo theft. Users are advised to avoid downloading LunaSpy and to exercise caution with applications from social networks or unofficial sources, relying instead on verified antivirus solutions from official app stores.

Winsage

August 8, 2025

Hackers can bypass Microsoft Defender to install ransomware on PCs

A significant vulnerability in Microsoft Defender has been identified, allowing hackers to bypass the software and deploy Akira ransomware. This vulnerability exploits the legitimate driver rwdrv.sys, associated with the Intel CPU tuning tool ThrottleStop, granting cybercriminals kernel-level access to a target PC. Once access is obtained, hackers can introduce the driver hlpdrv.sys to manipulate the Windows Registry, disabling Microsoft Defender's protective measures. GuidePoint Security has noted that this method has been increasingly used in Akira ransomware attacks since July of this year. Users are advised to use reputable antivirus software and keep it updated to protect against such threats.