SMS messages Archives

AppWizard

December 25, 2025

Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale

Threat actors in Uzbekistan are increasingly using sophisticated tactics to target mobile users, specifically through malicious dropper applications that appear as legitimate software. A recent analysis by Group-IB identified an Android SMS stealer called Wonderland, which was previously known as WretchedCat. Unlike traditional Trojan APKs that activate malware immediately upon installation, Wonderland utilizes droppers that activate malicious payloads locally after installation, even without an internet connection. Wonderland enables bidirectional command-and-control communication, allowing real-time execution of commands, including SMS theft and USSD requests. It disguises itself as Google Play or various file formats to evade detection. The financially motivated group behind this malware, TrickyWonders, uses Telegram for coordination and was first detected in November 2023. Wonderland is associated with two dropper families: MidnightDat and RoundRift. Propagation methods for Wonderland include counterfeit Google Play Store pages, Facebook ads, and fake accounts on dating apps. Attackers exploit stolen Telegram sessions from Uzbek users to distribute APK files. Once installed, Wonderland can access SMS messages, intercept one-time passwords, and siphon funds from victims' bank accounts. It can also retrieve phone numbers, exfiltrate contact lists, suppress security alerts, and send SMS messages from compromised devices. Users must enable installations from unknown sources to sideload the app, often misled by a fake update screen. If granted permissions, attackers can hijack the phone number and log into the associated Telegram account, perpetuating the malware's spread. Wonderland represents a significant evolution in mobile malware in Uzbekistan, moving from basic malware like Ajina.Banker to more sophisticated variants like Qwizzserial. The use of dropper applications enhances its deceptive nature, allowing it to evade security checks. Both the dropper and SMS stealer components are heavily obfuscated, complicating reverse engineering. The supporting infrastructure for Wonderland is dynamic, with rapidly changing domains complicating monitoring efforts. Malicious APKs are generated through a Telegram bot and distributed by a network of threat actors. New strains of malware, such as Cellik, Frogblight, and NexusRoute, have also emerged, each capable of harvesting sensitive information from compromised devices.

AppWizard

December 22, 2025

Frogblight Malware Targets Android Users With Fake Court and Aid Apps

A new Android-based Trojan named Frogblight is targeting mobile users in Turkiye to steal funds from bank accounts. Identified by Kaspersky's Securelist in August 2025, it spreads through smishing, where scammers send deceptive SMS messages about legal court cases or financial aid. These messages often include links to download malicious applications disguised as legitimate support tools. The malware, which can conceal itself and deactivate on simulated devices or within the U.S., requests extensive permissions to access SMS messages and device storage. Once installed, it opens a legitimate government website to appear credible and injects JavaScript to record keystrokes during banking logins. Recent versions have added keylogging, contact list theft, and private call log collection. The malware has evolved to disguise itself as the Google Chrome browser and other tools, and its source code is available on GitHub, indicating it may be marketed as malware-as-a-service. Kaspersky advises users to avoid downloading APK files from untrusted sources and to scrutinize app permission requests.

AppWizard

December 18, 2025

Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

A new Android malware campaign has been launched by the North Korean threat actor Kimsuky, introducing a variant called DocSwap. This malware is distributed via QR codes on phishing websites that impersonate CJ Logistics. Attackers use QR codes and notification pop-ups to lure victims into downloading the malware, which decrypts an embedded APK and activates Remote Access Trojan (RAT) capabilities. The malicious app is disguised as a legitimate application to bypass Android's security measures. Victims are tricked into installing the app through smishing texts or phishing emails that mimic delivery companies. The app downloads an APK named "SecDelivery.apk," which then loads the malware. It requests permissions to access various device functions and registers a service that simulates an OTP authentication screen. The app connects to an attacker-controlled server, allowing execution of commands such as logging keystrokes, capturing audio, and gathering sensitive information. Additionally, two other malicious samples have been identified, disguised as a P2B Airdrop app and a trojanized version of the BYCOM VPN app. The campaign also includes phishing sites mimicking popular South Korean platforms to capture user credentials.

AppWizard

December 8, 2025

Android Malware FvncBot, SeedSnatcher, and ClayRat Gain Stronger Data Theft Features

Cybersecurity researchers have identified two new families of Android malware, FvncBot and SeedSnatcher, as well as an upgraded version of ClayRat. FvncBot is designed to target mobile banking users in Poland, masquerading as a security application from mBank. It is built from scratch and includes features such as keylogging, web-inject attacks, screen streaming, and hidden virtual network computing (HVNC). It uses a crypting service called apk0day and communicates with a remote server at naleymilva.it.com. FvncBot requests accessibility permissions to operate with elevated privileges and can perform various malicious activities, including exfiltrating data and delivering overlays on targeted applications. SeedSnatcher is disguised as a cryptocurrency wallet app called Coin and is distributed via Telegram. It focuses on stealing cryptocurrency wallet seed phrases and can intercept SMS messages to capture two-factor authentication codes. It employs techniques like dynamic class loading and WebView content injection to evade detection and initially requests minimal permissions before escalating its access. The upgraded ClayRat malware now exploits accessibility services and default SMS permissions, allowing it to record keystrokes, capture screen content, and present deceptive overlays. It has been distributed through fraudulent phishing domains and dropper apps that impersonate legitimate services. The enhanced capabilities of ClayRat enable complete device takeovers and persistent overlays, making it a more significant threat than its previous version.

AppWizard

December 2, 2025

New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control

A new Android malware named Albiriox has emerged, marketed as malware-as-a-service (MaaS). It features a hard-coded list of over 400 applications, including banking and cryptocurrency platforms, and is distributed through social engineering tactics using dropper applications. Initially advertised in late September 2025, it became a full MaaS offering by October, with Russian-speaking threat actors behind its development. Albiriox allows remote control of compromised devices via an unencrypted TCP socket connection and Virtual Network Computing (VNC), enabling attackers to extract sensitive information and perform overlay attacks for credential theft. One campaign targeted victims in Austria using German-language lures and counterfeit Google Play Store listings. Albiriox also utilizes Android's accessibility services to bypass security measures and employs a novel distribution strategy involving a counterfeit website that collects phone numbers. Additionally, another Android MaaS tool, RadzaRat, was introduced, masquerading as a file management utility while offering extensive surveillance and remote control capabilities. RadzaRat can log keystrokes and maintain persistence through specific permissions, highlighting a trend in the availability of sophisticated cybercrime tools.

AppWizard

November 21, 2025

Fongo World Edition For Android

Fongo World Edition is a communication app that offers unlimited calling and messaging features. Users can obtain a Canadian phone number, make unlimited calls and texts within Canada, and utilize WiFi and data for calling. The app provides low-cost international calling to over 220 countries, including the U.S., India, the U.K., and France, with rates starting at [openai_gpt model="gpt-4o-mini" prompt="Summarize the content and extract only the fact described in the text bellow. The summary shall NOT include a title, introduction and conclusion. Text: Fongo World Edition emerges as a compelling solution for those seeking seamless communication across Canada and beyond. With a user-friendly interface and a range of features, this app is designed to enhance the calling and texting experience for its users. Key Features At the heart of Fongo World Edition lies the promise of unlimited calling and messaging. Users can enjoy: Your Own Canadian Phone Number: Obtain a real Canadian number tailored to your city. Unlimited Calling Across Canada: Make unlimited calls to any Canadian number without restrictions. Unlimited Texting: Connect with any Fongo user for free, with no limits on messages. WiFi & Data Calling: Utilize the app wherever there’s an internet connection. Low-Cost International Calling: Take advantage of affordable rates for global calls. Essential Features: Enjoy visual voicemail, call display, and more at no additional cost. Travel-Friendly Communication Fongo World Edition is particularly advantageous for travelers. It allows users to: Receive international calls for free. Communicate with any Canadian while abroad at no cost to either party. Text hotel concierges or rental hosts effortlessly. Receive SMS updates from airlines. Make reservations at local restaurants with ease. A Second Phone Number This app also serves as an excellent option for those needing a secondary phone number. Ideal for: Online Shopping & Sign-ups: Protect your primary number from spam. Dating Apps: Keep your personal number private while staying connected. Online Marketplaces: Use a free Canadian number instead of your actual one. Freelancing & Side Hustles: Maintain a clear boundary between work and personal communications. Contests & Verification Codes: Utilize a free texting app for temporary needs. International Calling Made Affordable Fongo World Edition offers low-cost international calling to over 220 countries, including: The United States India The United Kingdom France Rates start as low as [cyberseo_openai model="gpt-4o-mini" prompt="Rewrite a news story for a business publication, in a calm style with creativity and flair based on text below, making sure it reads like human-written text in a natural way. The article shall NOT include a title, introduction and conclusion. The article shall NOT start from a title. Response language English. Generate HTML-formatted content using tag for a sub-heading. You can use only , , , , and HTML tags if necessary. Text: Fongo World Edition By Fongo Inc. ★★★☆☆ • 3.6 • 10,000+ Screenshots: More Information Package ID com.fongo.international File Size Varies with device Category Communication Android Version Required Varies with device App Price USD 4.99 Content Rating Everyone About Fongo World Edition Fongo World Edition is the best way to call Canada and the world!Unlimited Calling and messaging, Canada-wide, anywhere you have an internet connection. It’s the perfect calling & texting app. WHY FONGO MOBILE?• Your own Canadian Phone Number – Get a real Canadian number in your city.• Unlimited Calling Across Canada – Unlimited calls to any Canadian number.• Unlimited Texting – Text any Fongo user for free, no limits! • WiFi & Data Calling – Use Fongo anywhere with an internet connection.• Low-Cost International Calling – Affordable rates for calling worldwide.• Visual Voicemail, Call Display & More – Essential calling features included for free!INCLUDED FEATURES• Visual Voicemail• Call Display, Call Waiting, and Call Forwarding• Conference Calling and Call Transfer• Receive faxes directly in the app• Sync with your device’s contacts for easy calling and messaging• Multi-language support: English, Chinese, French, German, Hindi, Korean, Spanish, and PortugueseTRAVELLING • Fongo World Edition is the ultimate travel calling and texting app:• Receive international calls for free• Talk with any Canadian while abroad – Free for you, free for them• Text your hotel concierge or home rental hosts• Receive SMS messages from your airline• Call restaurants to make reservationsSECOND PHONE NUMBER• Use Fongo World Edition as your free second phone number for:• Online Shopping & Sign-ups – Avoid spam calls and texts from retailers with a free phone number.• Dating Apps – Keep your personal number private while staying connected.• Online Marketplaces – Use a free Canadian number instead of your real one.• Freelancing & Side Hustles – Keep work and personal calls separate with a WiFi calling app.• Contests & Verification Codes – Use a free texting app for short-term or one-time use.LOW-COST INTERNATIONAL CALLING TO 220+ COUNTRIES• Call the United States, India, United Kingdom, France and more from just $0.02 per minute• Visit Fongo.com/rates for full list of international ratesIMPORTANT• Stable internet is required with download/upload speeds of over 2 Mbps • If you disable notifications, you will not receive incoming calls or texts• For 911 calls, use your device’s built-in phone app (no SIM card required)Need help? Tap 'Support' in the app. Have feedback? Let us know through the app. FOLLOW US• Facebook: fongomobile• Instagram: @fongo_mobile• TikTok: @fongo_mobile• X: @Fongo_MobileTerms of Use: https://www.fongo.com/about/legal/terms/Acceptable Use: https://www.fongo.com/about/legal/acceptable-use/Privacy Policy: https://www.fongo.com/about/legal/privacy/9-1-1 Terms: https://www.fongo.com/about/legal/fongo-911/ Developer Information Developer Name Fongo Inc. Support email Not provided Developer address Not provided" temperature="0.3" top_p="1.0" best_of="1" presence_penalty="0.1" ].02 per minute, making it an economical choice for global communication. For a comprehensive list of international rates, users can visit Fongo.com/rates. Important Considerations To ensure optimal performance, users should maintain a stable internet connection with download/upload speeds exceeding 2 Mbps. Additionally, disabling notifications may prevent the reception of incoming calls or texts. For emergency calls, it is recommended to use the device’s built-in phone app, as Fongo does not support 911 calls without a SIM card. For assistance or feedback, users can easily access support through the app, ensuring a responsive and user-centric experience. Fongo World Edition continues to redefine communication, blending affordability with functionality, making it a noteworthy contender in the realm of communication apps." max_tokens="3500" temperature="0.3" top_p="1.0" best_of="1" presence_penalty="0.1" frequency_penalty="frequency_penalty"].02 per minute. It is particularly useful for travelers, allowing free international calls, communication with Canadians abroad, and easy text messaging for reservations and updates. Fongo can also serve as a second phone number for online shopping, dating apps, and freelancing, helping to protect users' primary numbers from spam. Users must maintain a stable internet connection for optimal performance and should use their device’s built-in phone app for emergency calls.

AppWizard

November 4, 2025

Malicious Android apps on Google Play downloaded 42 million times

The Android ecosystem has seen a significant rise in malicious applications, with over 40 million harmful apps downloaded from Google Play between June 2024 and May 2025. There has been a 67% year-over-year increase in malware targeting mobile devices, particularly spyware and banking trojans. Cybercriminals are shifting tactics from card fraud to mobile payment exploitation, employing phishing, smishing, SIM-swapping, and payment scams. Banking malware transactions reached 4.89 million in 2025, with a slowed growth rate of 3%. Malicious applications increased from 200 to 239, totaling 42 million downloads, with adware now accounting for 69% of all detections. Spyware has surged by 220% year-over-year, with India, the U.S., and Canada being the most affected countries. Notable malware families include Anatsa, which targets financial institutions, Android Void (Vo1d), which affects Android TV boxes, and Xnotice, which targets job seekers. IoT devices, particularly routers, are also being exploited, with the majority of attacks occurring in the U.S. Zscaler recommends implementing security measures such as regular updates, trusting reputable publishers, and adopting zero-trust technology for organizations.

AppWizard

October 28, 2025

Telegram Messenger Abused by Android Malware to Seize Full Device Control

Security researchers at Doctor Web have identified a sophisticated Android backdoor, named Android.Backdoor.Baohuo.1.origin, disguised as Telegram X, which has compromised over 58,000 devices globally, with around 20,000 active infections. The malware propagates through malicious websites posing as app catalogs and targets approximately 3,000 different models of devices. It features unprecedented control mechanisms via Redis database integration, allowing extensive manipulation of victims' accounts and devices, including hiding evidence of compromise and autonomously managing messaging functionalities. The malware extracts sensitive data, including SMS messages and clipboard contents, and uploads information to attacker servers every three minutes. Brazil and Indonesia are primary targets, with the malware available on third-party app stores under fraudulent identities.

AppWizard

October 26, 2025

Hackers Weaponizing Telegram Messenger with Dangerous Android Malware to Gain Full System Control

A sophisticated backdoor known as Android.Backdoor.Baohuo.1.origin has been identified in malicious versions of the Telegram X messenger, granting attackers comprehensive control over victims’ accounts. This malware has compromised over 58,000 devices across approximately 3,000 smartphone models and other Android-based systems, primarily targeting users in Brazil and Indonesia. It spreads through misleading advertisements and third-party app stores, often masquerading as legitimate applications. The malware can exfiltrate sensitive information, manage user interactions, and manipulate messenger functionality without detection. It utilizes a Redis database for command-and-control operations, representing a novel approach in Android malware. The backdoor monitors clipboard contents and collects device information, sending data to attackers every three minutes while disguising its activities.

AppWizard

October 24, 2025

Baohuo Android Malware Hijacks Telegram Accounts via Fake Telegram X

A new Android malware, identified as Android.Backdoor.Baohuo.1.origin, is disguised as counterfeit versions of the messaging app Telegram X. It has been labeled as one of the most sophisticated Android backdoors this year. The malware is distributed through online advertisements promising enhanced features and connects to remote servers to grant attackers full control over the user’s Telegram account. It can conceal unauthorized logins, erase chat traces, and manipulate app behavior in real-time using the Xposed framework. Over 58,000 devices have been infected, primarily in India, Brazil, and Indonesia. Baohuo communicates directly with a Redis database for command-and-control, allowing seamless operation even if primary servers are down. It can intercept clipboard data and perform regular check-ins on user activity. The malware has been found in third-party app stores, falsely attributed to Telegram’s developer. Users are advised to download Telegram only from official sources.