smishing Archives

AppWizard

November 4, 2025

Malicious Android apps on Google Play downloaded 42 million times

The Android ecosystem has seen a significant rise in malicious applications, with over 40 million harmful apps downloaded from Google Play between June 2024 and May 2025. There has been a 67% year-over-year increase in malware targeting mobile devices, particularly spyware and banking trojans. Cybercriminals are shifting tactics from card fraud to mobile payment exploitation, employing phishing, smishing, SIM-swapping, and payment scams. Banking malware transactions reached 4.89 million in 2025, with a slowed growth rate of 3%. Malicious applications increased from 200 to 239, totaling 42 million downloads, with adware now accounting for 69% of all detections. Spyware has surged by 220% year-over-year, with India, the U.S., and Canada being the most affected countries. Notable malware families include Anatsa, which targets financial institutions, Android Void (Vo1d), which affects Android TV boxes, and Xnotice, which targets job seekers. IoT devices, particularly routers, are also being exploited, with the majority of attacks occurring in the U.S. Zscaler recommends implementing security measures such as regular updates, trusting reputable publishers, and adopting zero-trust technology for organizations.

Tech Optimizer

November 3, 2025

70% of Americans think antivirus will protect their online privacy – here’s the real truth

A survey by NordVPN revealed that while 52% of American consumers claim to use antivirus software daily, many do not understand its fundamental functions. Over a quarter mistakenly believe antivirus software provides complete protection against online threats, which increases their vulnerability to identity theft and cyber threats. Additionally, more than a third of participants reported not using any form of cybersecurity software, despite concerns about data theft. Commonly misunderstood security tools include identity theft protection services, ad and tracker blockers, password managers, firewalls, and VPNs. Misunderstanding these tools can jeopardize online security, as personal information like email addresses and phone numbers can be exploited in phishing attacks. The survey highlighted the need for better cybersecurity education, as misconceptions about antivirus capabilities can leave users exposed to various online threats.

AppWizard

October 15, 2025

GhostBat RAT Android Malware Poses as Fake RTO Apps to Steal Banking Data from Indian Users

The GhostBat RAT campaign employs sophisticated malware distribution techniques, utilizing infection vectors such as WhatsApp, SMS with shortened URLs, GitHub-hosted APKs, and compromised websites to deliver malicious Android droppers. These droppers utilize multi-stage workflows, ZIP header manipulation, and string obfuscation to evade detection. The malware includes tools for stealing banking credentials and cryptocurrency miners, directing victims to phishing pages resembling the mParivahan app to collect sensitive information. SMS messages with banking keywords are exfiltrated to command and control servers, while incoming messages may be forwarded for OTP harvesting. Device registration occurs through a Telegram bot named GhostBatRat_bot. In July 2024, Android malware impersonating Regional Transport Office applications was documented, designed to steal contacts and SMS messages. Observations from September 2025 revealed over forty samples propagating through WhatsApp and SMS, ultimately delivering a malicious version of the mParivahan app. The malware initiates phishing activities by requesting SMS permissions and harvesting banking credentials. VirusTotal detections for the malware remain low due to its multi-layered dropper mechanisms and obfuscation techniques. The architecture of GhostBat RAT features multi-stage dropper workflows, native binary packing, and heavy string obfuscation. The first-stage dropper verifies device architecture and manufacturer, while subsequent stages decrypt and execute payloads, including a cryptominer library and a malicious APK for data theft. Victims encounter a counterfeit Google Play update page, leading to the installation of the malicious APK, which requests SMS permissions and presents a phishing interface. Users are prompted to enter their UPI PIN into a fake payment flow, which forwards the PIN to a Firebase endpoint. The campaign highlights the need for careful SMS permission management and vigilance against shortened URLs to combat emerging Android malware threats.

AppWizard

July 25, 2025

Fake Indian Banking Apps on Android Steal Login Credentials from Users

A recently discovered malicious Android application poses significant risks by masquerading as legitimate banking apps in India. It facilitates credential theft, conducts surveillance, and executes unauthorized financial transactions. The malware operates on a modular architecture with a dropper and primary payload, employing deceptive user interfaces and silent installation techniques to evade detection. The dropper requests extensive permissions, including ACCESSNETWORKSTATE, REQUESTINSTALLPACKAGES, and QUERYALLPACKAGES, to monitor connectivity, install secondary APKs without user awareness, and profile installed apps. It loads a hidden payload and initiates installation using an INSTALL_NOW flag, bypassing app store scrutiny. The main payload requests additional permissions such as READSMS, SENDSMS, and RECEIVESMS for intercepting one-time passwords (OTPs) and two-factor authentication (2FA) codes. It also requests REQUESTIGNOREBATTERYOPTIMIZATIONS, READPHONESTATE, and READPHONENUMBERS for uninterrupted execution, device fingerprinting, and potential call forwarding abuse. Data exfiltration occurs through Firebase Realtime Database, storing user IDs and intercepted SMS metadata. The malware uses Firebase for command-and-control operations and generates phishing pages resembling authentic banking interfaces. Delivery methods include smishing, email phishing, WhatsApp bots, vishing calls, SEO-poisoned websites, malvertising, Trojanized utilities, QR/NFC attacks, preloaded malware on counterfeit devices, and exploitation of accessibility service vulnerabilities. Indicators of compromise include specific SHA256 hashes for the base payload and main payload.

AppWizard

July 25, 2025

Malicious Android Apps Mimic as Popular Indian Banking Apps Steal Login Credentials

Attackers are exploiting India's reliance on digital financial services by distributing counterfeit Android applications resembling those of public and private banks. This campaign, detected on April 3, 2025, employs methods like smishing texts, QR codes, and search-engine manipulation to trick users into sideloading malicious software. Within 48 hours of discovery, over 7,000 devices attempted to connect to a specific Firebase Cloud Messaging endpoint. The malware uses permissions to bypass security measures, capture one-time passwords, and gain insights into installed applications for overlay attacks. It collects sensitive information such as phone numbers and CVVs, which are uploaded to a private database. The malware also enables call forwarding to the attacker's number and maintains persistence through various tactics. The infection mechanism involves a dropper that installs a secondary APK silently, evading detection by not displaying a launcher icon. Security experts recommend enhanced phishing detection and real-time sandbox analysis to combat these threats.

AppWizard

July 3, 2025

Fake Apps, AI Scams Drive 151% Android Malware Spike, Smishing Grows 692%, Spyware Quadruples

Android malware has surged by 151% since the beginning of the year, with a notable 147% increase in spyware in 2025. Spyware activity peaked in February and March, reaching nearly four times the baseline. Smishing attacks via SMS increased by 692% between April and May. Banking trojans and spyware are increasingly hidden in seemingly legitimate applications, such as fake loan services. Over 30% of Android devices run outdated software lacking security patches, exposing users to vulnerabilities. Cybercriminals are developing interconnected operations that target sensitive user data. Google Play Protect is not fully effective, and users are advised to download apps only from official sources, review app permissions, deny unnecessary notification access, keep software updated, and use trusted mobile security apps.