trojan Archives

AppWizard

February 10, 2026

Google warns millions of android users as virus spreads via WhatsApp, Instagram, Facebook, YouTube and more Apps; How to stay safe

Google has issued a warning to Android users about a dangerous malware called Arsink Malware, which is a Remote Access Trojan (RAT) capable of stealing personal information and taking control of infected devices. It spreads through apps that appear legitimate, often masquerading as "Mod" or "Premium" versions of popular applications. Arsink malware typically infiltrates devices via Telegram channels, Discord posts, third-party websites, and suspicious download links. Google has confirmed that no versions of Arsink are available on the Play Store and that devices with Google Play Protect enabled are automatically safeguarded against such threats. Google is also working with researchers to dismantle the infrastructure associated with this malware. To stay safe, users are advised to download apps only from the official Google Play Store, avoid 'Mod' or 'Premium' versions of apps, refrain from clicking on suspicious links, carefully check app permissions, keep Google Play Protect enabled, and regularly update their devices for security patches.

AppWizard

February 10, 2026

Android users warned about new bug that steals private data – which apps to delete

The Arsink malware is an Android Remote Access Trojan (RAT) that exfiltrates sensitive information while granting remote control to its operators. It has impacted over 45,000 devices in 143 countries, including the UK. Arsink lures users to download deceptive "pro" versions of popular applications, often promoted on social media instead of the Google Play Store. Once installed, it can access text messages, emails, call logs, contacts, microphone recordings, photos, location data, and more. The malware also allows hackers to control device features such as using the torch, playing audio, making calls, and changing settings. It hides its icon, runs a persistent foreground service, and generates notifications to avoid detection. Users are advised to remove any "pro" versions of well-known apps like Google, YouTube, WhatsApp, Instagram, Facebook, and TikTok that are not from the official Google Play Store.

AppWizard

January 30, 2026

Google’s New Android Lockdown—Do Not Install These Apps

Google is tightening its policies on sideloading practices, allowing app installations only from verified developers to enhance user security and reduce risks associated with malicious software. The company has removed numerous harmful applications and accounts to combat the exploitation of its ecosystem. Cybercriminals are replicating popular applications like Google, YouTube, and WhatsApp to deceive users into downloading malicious software, which often masquerades as “mod” or “pro” versions. These counterfeit apps can install the Arsink Remote Access Trojan (RAT), which allows hackers to control devices, record audio, harvest personal information, and perform unauthorized actions. The Arsink operation has affected tens of thousands of victims across approximately 143 countries. Users are advised to avoid installing apps from messengers, online forums, or direct links and to use official app stores instead. Google confirms that the RAT is not infecting Play Store apps and encourages users to keep Play Protect enabled.

Tech Optimizer

January 22, 2026

Hackers Weaponized 2,500+ Security Tools to Terminate Endpoint Protection Before Deploying Ransomware

A large-scale campaign is exploiting the truesight.sys Windows security driver from Adlice Software’s RogueKiller antivirus to disable endpoint detection and response (EDR) and antivirus solutions, facilitating the deployment of ransomware and remote access malware. This attack utilizes over 2,500 validly signed variants of the driver, allowing attackers to manipulate legacy driver signing rules to load pre-2015 signed drivers on Windows 11 machines. The vulnerable TrueSight driver exposes an IOCTL command that enables attackers to terminate security processes, providing them with kernel-level access to bypass user-mode protections. The infection chain typically starts with phishing emails or compromised sites, leading to the installation of a downloader that retrieves additional malicious components. The malware establishes persistence and deploys an EDR killer module targeting nearly 200 security products. Once defenses are disabled, the final payload, often a remote access trojan or ransomware, executes with minimal visibility, completing the attack in as little as 30 minutes.

AppWizard

January 19, 2026

Google is Making it Harder to Sideload Apps on Google TV & Android

Google plans to modify the sideloading process for apps on Android devices to enhance user safety and address app security concerns. The new process will introduce additional steps and warnings, emphasizing the benefits of apps verified through Google Play and requiring an active internet connection for certain verification checks. Users can still sideload apps without verification, but this option will come with extra prompts to inform them of the risks. Critics worry that these changes may inconvenience power users, while supporters believe they will promote safer habits among average consumers. The rollout of this updated sideloading process is expected to begin in select markets and may coincide with the next major Android release.

Winsage

January 9, 2026

Is turning off Windows Security a bad idea in 2026? A PC expert’s bottom line

Windows Security is a comprehensive security suite for Windows users that monitors downloads, blocks threats, and quarantines malware. Users may need to disable it temporarily to install third-party software or games that are mistakenly flagged as threats. Permanent deactivation is typically for advanced users who may replace it with another security suite, but it increases vulnerability to online threats. To temporarily disable Windows Security, users can toggle off Real-time protection in the Windows Security app. For permanent deactivation, Windows 11 Pro users can use the Local Group Policy Editor, while Home users must edit the Registry. Creating a restore point before making changes is recommended for safety. Disabling Windows Security, even temporarily, should be done with caution to avoid increased risk of infections.

Winsage

January 7, 2026

Hackers Use Fake Windows BSOD To Spread Malware

Security researchers have identified a social engineering campaign that mimics the Windows Blue Screen of Death (BSOD) to deceive users into installing a remote access Trojan (RAT). The campaign, named PHALT#BLYX, begins with phishing emails that appear to be legitimate cancellation notices from travel websites, leading victims to a fake login page and an interactive CAPTCHA. This culminates in a full-screen imitation of the BSOD, prompting users to follow instructions that ultimately allow attackers to gain control of their computers. The attackers use a “ClickFix” process that involves executing commands through native Windows tools like PowerShell and MSBuild, making detection more challenging. The malware delivered is an obfuscated version of DCRat, which provides attackers with remote control capabilities, keylogging, and the ability to download additional malware. The campaign primarily targets hotels and hospitality businesses in Europe, exploiting the urgency of front-desk staff to respond to apparent technical issues. Indicators of a fake BSOD include the ability to interact with the screen, requests to execute commands via Windows tools, and the presence of CAPTCHA prompts. Organizations are advised to train employees, implement application control, enhance email and web defenses, and prepare for incident response to mitigate risks associated with such attacks.

Winsage

January 6, 2026

ClickFix attack uses fake Windows BSOD screens to push malware

A new social engineering attack campaign called ClickFix is targeting the hospitality sector in Europe, using fake Windows Blue Screen of Death (BSOD) screens to trick users into executing malware. Initially identified in December by Securonix as "PHALT#BLYX," the campaign involves phishing emails that appear to be notifications from Booking.com, often mentioning significant refunds to create urgency. Victims are directed to a counterfeit Booking.com site that mimics the legitimate one and displays a fake error message prompting them to execute a malicious command. This command launches a PowerShell script that downloads and compiles malware known as DCRAT, a remote access Trojan that allows attackers to control infected devices, exfiltrate data, and spread within networks.

AppWizard

December 25, 2025

Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale

Threat actors in Uzbekistan are increasingly using sophisticated tactics to target mobile users, specifically through malicious dropper applications that appear as legitimate software. A recent analysis by Group-IB identified an Android SMS stealer called Wonderland, which was previously known as WretchedCat. Unlike traditional Trojan APKs that activate malware immediately upon installation, Wonderland utilizes droppers that activate malicious payloads locally after installation, even without an internet connection. Wonderland enables bidirectional command-and-control communication, allowing real-time execution of commands, including SMS theft and USSD requests. It disguises itself as Google Play or various file formats to evade detection. The financially motivated group behind this malware, TrickyWonders, uses Telegram for coordination and was first detected in November 2023. Wonderland is associated with two dropper families: MidnightDat and RoundRift. Propagation methods for Wonderland include counterfeit Google Play Store pages, Facebook ads, and fake accounts on dating apps. Attackers exploit stolen Telegram sessions from Uzbek users to distribute APK files. Once installed, Wonderland can access SMS messages, intercept one-time passwords, and siphon funds from victims' bank accounts. It can also retrieve phone numbers, exfiltrate contact lists, suppress security alerts, and send SMS messages from compromised devices. Users must enable installations from unknown sources to sideload the app, often misled by a fake update screen. If granted permissions, attackers can hijack the phone number and log into the associated Telegram account, perpetuating the malware's spread. Wonderland represents a significant evolution in mobile malware in Uzbekistan, moving from basic malware like Ajina.Banker to more sophisticated variants like Qwizzserial. The use of dropper applications enhances its deceptive nature, allowing it to evade security checks. Both the dropper and SMS stealer components are heavily obfuscated, complicating reverse engineering. The supporting infrastructure for Wonderland is dynamic, with rapidly changing domains complicating monitoring efforts. Malicious APKs are generated through a Telegram bot and distributed by a network of threat actors. New strains of malware, such as Cellik, Frogblight, and NexusRoute, have also emerged, each capable of harvesting sensitive information from compromised devices.

Tech Optimizer

December 25, 2025

New malware can read your chats and steal your money

The Android banking trojan Sturnus has emerged as a significant cybersecurity threat, capable of taking control of a device's screen, stealing banking credentials, and accessing encrypted communications from trusted applications. It operates stealthily, capturing decrypted messages without breaking encryption. To protect against Sturnus, users should employ robust antivirus software, be vigilant with app prompts, and exercise caution with links and attachments, as malware is often spread through these channels. Attackers can remotely control devices to execute financial transactions without user knowledge.