surveillance Archives

AppWizard

May 13, 2026

Android Adds Intrusion Logging for Sophisticated Spyware Forensics

Google introduced a new opt-in feature for Android users called Intrusion Logging, which enhances the analysis of spyware attacks as part of the Advanced Protection Mode. Developed with Amnesty International and Reporters Without Borders, it logs daily device and network activities, including app activity, installations, network connections, file transfers, system certificate modifications, and device lock events. The log data is encrypted and stored securely, accessible only to the device owner. Logs are retained for 12 months and cannot be deleted by users before expiration, though they can be downloaded for offline storage. Intrusion Logging also records network events during Chrome's Incognito mode. This feature is beneficial for high-risk individuals who may be targets of surveillance. Users can access the logs through the Settings app, and the rollout is underway for devices with the Android 16 December update and newer. Additionally, Google announced other privacy and security features, including a verified financial call feature to combat scams, expansion of Live Threat Detection, evaluation of APK files for malware, revocation of accessibility services API access from non-designated apps, and enhancements to Find Hub's Mark as Lost feature. Other updates include improved device recovery options, enhanced privacy controls, introduction of AISeal with pKVM, expansion of Binary Transparency, protection against OTP theft, and strengthening data protection with post-quantum cryptography.

AppWizard

May 11, 2026

Google warns 7 million Android users to delete these 28 fake apps

28 Android applications were removed from the Google Play Store after being identified as scams by security researchers at ESET. These apps, part of a campaign called “CallPhantom,” falsely claimed to provide access to private call logs, SMS records, and WhatsApp activity. They attracted millions of downloads despite lacking legitimacy, offering fabricated data such as fake phone numbers and bogus call durations. Some apps charged users for “detailed reports” that either never arrived or contained nonsensical information. The apps did not steal phone data or install malware but instead promised illicit access and generated fictitious data. The primary targets of this scam were users in India and the Asia-Pacific region.

AppWizard

May 10, 2026

From BBM to Threema: How messaging apps and VPNs fuel terror networks in Jammu and Kashmir

The Blackberry Messenger (BBM) application has re-emerged in terror-related networks in Jammu and Kashmir, as revealed by the interrogation of an operative from Lashkar-e-Taiba (LeT). The Srinagar Police recently dismantled an LeT module, arresting Abdullah (Abu Hureira) and others. The National Investigation Agency (NIA) is now investigating, focusing on BBM and other messaging apps used for coordination. BBM has a history of scrutiny, with the Indian government previously threatening a ban unless servers were established in India. In 2019, BBM became a paid service for corporate users. Investigators are tracking BBM Enterprise accounts linked to terrorism. Cybersecurity concerns persist in Jammu and Kashmir, especially regarding privacy-centric apps like Threema and banned applications like Element, which are believed to aid terror groups in evading surveillance. Other apps, such as Dust, face scrutiny for their ephemeral messaging features. The increased internet access has also allowed terrorist organizations to strengthen their networks, with some individuals posing as extreme nationalists having ties to radical groups.

AppWizard

May 10, 2026

From BBM to Threema: How messaging apps fuel JK terror networks

Srinagar has seen a resurgence of the Blackberry Messenger (BBM) application within the Lashkar-e-Taiba (LeT) terror network, as revealed by the interrogation of a key operative. The Srinagar police recently dismantled an LeT module, arresting Abdullah (Abu Hureira) and others, prompting the National Investigation Agency (NIA) to investigate. During questioning, it was disclosed that various communication apps, including BBM, Element, Threema, and Dust, were being used alongside mainstream platforms like WhatsApp and Telegram. BBM was initially flagged by investigative agencies in 2009, leading to the establishment of servers in India in 2011-12 after the Indian government threatened a ban. However, BBM transitioned to a paid service in 2019, and investigators are now tracing accounts linked to terrorist activities. The Indian government banned 14 messaging applications in May 2023, including Element, due to their use by terror groups. Highly secure apps like Threema and ephemeral messaging platforms like Dust are under scrutiny for their potential to hinder intelligence gathering. The rise of the internet has facilitated communication for terrorist organizations, with the UN highlighting their exploitation of online platforms for propaganda and recruitment, leading to the adoption of Resolution 2354 in 2017 to combat terrorism online.

BetaBeacon

May 5, 2026

ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows

ScarCruft compromised a video game platform in a supply chain attack, trojanizing its components with a backdoor called BirdCall to target ethnic Koreans residing in China. The attack enabled the threat actors to target both Windows and Android devices, turning it into a multi-platform threat. The campaign targeted sqgame[.]net, a gaming platform used by ethnic Koreans in China, known as a transit point for North Korean defectors. BirdCall has features like screenshot capture, keystroke logging, and data gathering, and relies on legitimate cloud services for command-and-control. The Android variant collects various data and has seen active development.

AppWizard

May 5, 2026

North Koreans Spy on Defectors Via Android Game Apps

A North Korean hacking group has targeted a digital gaming platform popular among the Korean ethnic enclave in China, using a sophisticated strategy to infiltrate Android applications. Researchers from Eset discovered that an app on the platform contained a backdoor known as BirdCall, linked to North Korea. The official website for the gaming platform hosted the same suspicious APK file. A second Android file associated with another game on the same site was also found to contain the BirdCall backdoor. This supply-chain attack was attributed to the threat actor ScarCruft (APT37), active in Asia and extending into Europe and the Middle East since late 2024. The hackers likely compromised the web server to recompile original APKs with the backdoor, which can collect sensitive information such as contacts, SMS messages, call logs, documents, media files, and private keys, and can take screenshots and record audio. The malware disguises its command and control traffic among regular internet traffic, primarily using Zoho WorkDrive for operations.

AppWizard

April 29, 2026

New Android spyware Morpheus linked to Italian surveillance firm

Morpheus is a new spyware identified by the nonprofit organization Osservatorio Nessuno, which spreads through counterfeit Android applications that appear as legitimate updates. Attackers use SMS messages to direct victims to a fraudulent website mimicking an Internet Service Provider (ISP). The spyware installs a dropper app that deploys a concealed payload, which disguises itself as legitimate system components and manipulates users into granting dangerous permissions, including Accessibility access. Once granted, Morpheus initiates a Permission Workflow that creates a fake update overlay, disabling the touchscreen to prevent user interaction. It ensures persistence by restarting after device reboots and can request device administrator privileges. The spyware exploits overlay windows and Accessibility features to gain control of the device and bypass security measures, including disabling antivirus solutions without requiring root access. Analysis suggests Morpheus has Italian origins, with connections to an Italian firm, IPS Intelligence, known for lawful interception technologies. The spyware is capable of invasive actions such as recording audio and video, linking to WhatsApp, and compromising device security. The report highlights a network of dubious companies and shared contacts linked to the spyware's distribution.

AppWizard

April 27, 2026

Google’s new developer rules are pushing a top privacy period tracker off certified Android devices

The privacy-centric period tracking app, Periodical, will not comply with Google's new developer verification policy requiring app developers to submit government-issued identification. As a result, the developers have decided to withdraw from the official Android ecosystem, raising concerns about user privacy and access to reproductive health tools. Periodical is praised for storing data locally without third-party trackers, which is crucial given the risk of law enforcement accessing digital health data. Users are uncertain about the app's future and are being directed to its GitHub repository for updates, as the new policy will complicate the installation of unverified apps. Users will need to enable Developer Options and navigate complex settings to sideload the app, which may deter many from tracking their menstrual cycles.

AppWizard

April 27, 2026

RIP Signal: Russians kill trust in many EU diplomats’ beloved messaging app

Signal is experiencing a crisis of trust due to security breaches, including successful infiltrations by Russian hackers in Germany and the Netherlands. Senior EU officials have disbanded a Signal group due to hacking fears. Accessing Signal chat content on the dark web can cost between ,000 to ,000, while WhatsApp data is cheaper, ranging from ,000 to ,000. Personal information, such as travel histories, can be bought for 0 to 0, especially for individuals who have traveled to countries known for data leaks. Investigations revealed that Russian diplomats' medical records, banking information, and dating site usernames are available on the black market. Location tracking can be precise when certain applications are downloaded. A Kazakh refugee in Brussels faced high-definition surveillance, and local laws challenge private detectives' effectiveness. State actors have used Israeli spyware like Pegasus to target journalists and adversaries. The prospect of secure communication is diminishing, with online exchanges increasingly seen as vulnerable.

AppWizard

April 24, 2026

Another spyware maker caught distributing fake Android snooping apps

The Italian digital rights organization Osservatorio Nessuno has revealed a new malware called Morpheus, used by government agencies for surveillance. Morpheus is disguised as a phone updating application and can extract various data from targets' devices. The spyware is linked to IPS, an Italian firm specializing in lawful interception technologies, which claims to operate in over 20 countries. Morpheus is categorized as "low cost" due to its straightforward infection method, which involves tricking targets into installing the software. Authorities collaborated with the target's mobile service provider to obstruct data and send an SMS prompting the installation of the malware. Once installed, Morpheus exploits Android's accessibility features to access extensive information and masquerades as the WhatsApp application to solicit biometric data. The spyware's code contains Italian phrases and references to "Gomorra," indicating its connection to the Italian spyware industry. The attack is likely linked to political activism in Italy. IPS is among several Italian spyware manufacturers that have emerged following the decline of Hacking Team.