obfuscation Archives

Winsage

September 23, 2025

Microsoft lifts Windows 11 update block after face detection fix

Microsoft has lifted a compatibility hold that previously prevented devices with integrated cameras from upgrading to Windows 11 24H2 due to a face detection bug causing app freezes. The hold, identified by safeguard ID: 53340062, was implemented to protect users from these issues. With the bug resolved, eligible devices can now upgrade through the Windows Update release channel, although it may take up to 48 hours for the update to be available. Microsoft also removed another safeguard hold affecting Bluetooth devices. Some compatibility blocks remain for devices using specific software and drivers. Windows 11 24H2 was officially launched in October 2024 for devices running Windows 11 22H2/23H2.

AppWizard

September 17, 2025

224 Malicious Android Apps on Google Play With 38 Million Downloads Delivering Malicious Payloads

A mobile ad fraud operation called "SlopAds" infiltrated the Google Play Store with 224 malicious applications, which collectively achieved over 38 million downloads across 228 countries. The operation utilized advanced steganography and obfuscation techniques to deliver fraudulent advertising payloads while avoiding detection. SlopAds activated its fraud system selectively based on specific advertising campaigns, generating around 2.3 billion fraudulent bid requests daily, primarily from the United States (30%), India (10%), and Brazil (7%). The malicious apps exploited Firebase Remote Config to retrieve encrypted data for downloading a primary fraud module named "FatModule." This module was concealed within PNG image files, allowing it to bypass traditional security measures. The FatModule included anti-analysis features to evade detection by security researchers. Google has since removed all identified SlopAds applications from the Play Store and implemented protections through Google Play Protect.

AppWizard

September 17, 2025

38 Million Downloads Across 224 Malicious Android Apps on Google Play Deliver Harmful Payloads

Researchers from HUMAN’s Satori Threat Intelligence and Research Team discovered a digital advertising fraud operation called “SlopAds,” which involves 224 Android applications that have over 38 million downloads across 228 countries. SlopAds employs a multi-layered obfuscation strategy to deploy fraud modules that siphon ad revenue. The applications connect to Firebase Remote Config to retrieve an encrypted configuration that conceals URLs for PNG images containing fragments of an APK, which are reassembled to create the core fraud component known as FatModule. SlopAds generates approximately 2.3 billion bid requests daily, primarily targeting users in the United States (30%), India (10%), and Brazil (7%). Google Play Protect alerts users and blocks known SlopAds applications, and Google has removed these applications from the Play Store. Users who installed these apps from off-market sources remain vulnerable until they uninstall them.

AppWizard

September 17, 2025

Google just took down 224 malicious apps with 38 million installs from the Play Store — how to stay safe

224 malicious applications have been removed from the Google Play Store due to a significant ad fraud operation named "SlopAds," which amassed over 38 million downloads. The campaign spanned 228 countries, with the highest ad impressions from the United States (30%), India (10%), and Brazil (7%). The apps used sophisticated obfuscation techniques to evade Google’s security measures. Users are advised to uninstall these harmful applications, as they can negatively impact device performance by causing excessive data consumption and battery strain. Users who sideload apps from unofficial sources are particularly vulnerable to such threats. Security experts anticipate that similar ad fraud operations may occur in the future.

AppWizard

September 16, 2025

Google nukes 224 Android malware apps behind massive ad fraud campaign

A large-scale Android ad fraud operation called "SlopAds" has been dismantled, involving 224 malicious applications on Google Play that generated 2.3 billion ad requests daily. The Satori Threat Intelligence team at HUMAN discovered that these apps were downloaded over 38 million times and reached users in 228 countries, with the U.S. accounting for 30% of ad impressions. The perpetrators used techniques like obfuscation and steganography to evade detection. If installed through ad campaigns, the apps would download a malicious module called "FatModule," which executed the ad fraud scheme by serving ads through hidden WebViews. The operation resulted in over 2 billion fraudulent ad impressions daily. Google has removed all known SlopAds applications from the Play Store and updated Google Play Protect to alert users to uninstall remaining instances.

Winsage

September 15, 2025

Microsoft fixes Windows 11 audio issues confirmed in December

Microsoft has lifted the safeguard hold that restricted certain users from upgrading to Windows 11 24H2 due to compatibility issues with Bluetooth headsets and speakers. The bug, acknowledged in December, primarily affected systems using Dirac audio improvement software, causing audio-related malfunctions. The incompatibility was linked to the software component cridspapo.dll. On September 11, 2025, Microsoft announced the removal of the update block for devices with Dirac audio software, allowing them to upgrade to Windows 11, version 24H2. A new driver addressing the issue is available via Windows Update. However, upgrades remain blocked for devices with incompatible Intel Smart Sound Technology audio drivers, SenseShield Technology code-obfuscation drivers, wallpaper customization software, and integrated cameras.

Tech Optimizer

September 13, 2025

Researchers Uncover Undetectable Malware Draining Crypto Browser Wallets

A new strain of malware called ModStealer has emerged, capable of evading antivirus detection while targeting cryptocurrency wallets on Windows, Linux, and macOS. It has reportedly gone undetected by major antivirus engines for nearly a month and is being disseminated through deceptive job recruitment ads aimed at developers. ModStealer scans for browser-based cryptocurrency wallet extensions, system credentials, and digital certificates, exfiltrating the data to remote Command and Control servers. On macOS, it uses a persistence method to run automatically at startup, disguising itself as a benign program. It combines persistence with strong obfuscation techniques, making it resilient against traditional security measures. The malware poses significant risks to cryptocurrency users and platforms, with potential compromises of private keys and wallet data leading to asset losses and large-scale exploits.

Winsage

September 12, 2025

Windows 11 23H2 Home and Pro reach end of support in 60 days

Microsoft will stop providing updates for the Home and Pro editions of Windows 11 23H2 on November 11, 2025. In contrast, the Enterprise and Education editions will continue to receive updates until November 10, 2026. Users are encouraged to upgrade to Windows 11 24H2, which became available in October 2024. Microsoft has implemented safeguard holds for the upgrade to address compatibility issues with certain drivers and software. As of July 2025, 59.9% of gamers are using Windows 11, and it has surpassed Windows 10 in market share, with over 53% of Windows systems running Windows 11. The last supported Windows 11 22H2 editions will reach their end of servicing on October 14.

Tech Optimizer

September 12, 2025

Modstealer malware bypasses antivirus, targets crypto wallets

A newly identified strain of malware called ModStealer can bypass antivirus protections to steal data from cryptocurrency wallets on Windows, Linux, and macOS. It operated undetected for nearly a month, infiltrating systems through misleading job advertisements targeting software developers. ModStealer has multi-platform support and a stealthy execution chain, allowing it to launch simultaneous attacks across various operating systems. Upon execution, it scans for browser-based cryptocurrency wallet extensions, system credentials, and digital certificates. On macOS, it disguises itself as a background helper program to ensure continuous operation. Indicators of potential ModStealer infections include a hidden file named “.sysupdater.dat,” outbound connections to suspicious servers, unexpected background processes, unusual behavior from wallet extensions, and unauthorized access attempts to digital certificates. The malware poses significant risks to individual users by compromising private keys and seed phrases, and it could lead to large-scale thefts in the cryptocurrency industry. To protect against ModStealer, users are advised to use hardware wallets, enable multi-factor authentication, update antivirus software, avoid suspicious job ads, monitor startup processes, back up seed phrases offline, and use separate devices for transactions.

AppWizard

September 10, 2025

Tor Project Launches Experimental Beta VPN App for Android

The Tor Project has released a VPN app for Android, allowing users to route their internet traffic through the Tor network. This app, labeled as a beta version on the Google Play Store, is intended for feedback and development rather than for critical privacy needs. The app's development started in January 2022 and is open source under the BSD 3-Clause license. It utilizes Arti, a Rust-based implementation of the Tor protocol, and offers features such as IP and location obfuscation, per-app routing, censorship resistance, and support for .onion domains. However, users are cautioned that the app is not production-ready and may leak identifying information, making it unsuitable for sensitive activities. The Tor Project, a nonprofit organization founded in the early 2000s, aims to enhance mobile privacy with this new offering.