trojan malware Archives

Winsage

October 31, 2025

Windows LNK File UI Misrepresentation Enables Remote Code Execution Attacks

A vulnerability in the Windows operating system, identified as ZDI-CAN-25373 and disclosed in March 2025, allows advanced persistent threat (APT) actors to deploy malware by manipulating whitespace in Windows LNK files. This technique has been adopted by espionage groups from North Korea, China, Russia, and Iran for data theft and intelligence-gathering. The flaw enables malicious PowerShell commands to be concealed within seemingly legitimate shortcut files, which execute automatically when opened. The exploitation involves weaponized LNK files that initiate obfuscated PowerShell commands to decode embedded TAR archives containing a legitimate Canon printer utility, a malicious loader DLL, and an RC4-encrypted payload with remote access trojan malware. The legitimate executable, although signed with an expired certificate, is trusted by Windows due to its valid timestamp. As of October 2025, Microsoft has not released a patch for this vulnerability, prompting organizations to implement defensive measures against its exploitation.

TrendTechie

August 16, 2025

Labubu-охота на криптопользователей, опасные торренты с фильмами и другие события кибербезопасности

- A user lost 140 ETH (approximately ,500) on August 15 due to crypto address "poisoning," resulting in a total loss of over .6 million from similar incidents within a week. - Labubu fans in Russia fell victim to a cryptocurrency theft scheme involving a counterfeit marketplace that prompted users to connect their crypto wallets. - The Efimer Trojan malware, distributed through compromised WordPress sites and torrents, has been identified as a method for stealing cryptocurrency by replacing wallet addresses in the clipboard. - Pro-Russian hackers gained control of a dam in Norway, opening discharge valves and allowing over 7.2 million liters of water to pass through before being stopped. - A cybersecurity researcher discovered a vulnerability in a car dealer's online portal that allowed remote access to customer data and vehicle control. - Tajikistan reportedly lost over million due to illegal mining activities. - BtcTurk suspended withdrawals amid suspicious transactions totaling million. - Hackers extracted million in Bitcoin from the Odin.fun platform, and KYC data leaks have led to increased attacks on crypto investors.

Tech Optimizer

March 11, 2025

Fake Google Play Store pages are spreading Trojan malware that can steal your financial data

CTM360, a cybersecurity firm in Bahrain, has reported a new threat called the PlayPraetor trojan, which is distributed through malicious websites that imitate trusted sources like the Google Play Store. Users who visit these counterfeit sites may download an app disguised as a legitimate APK file, which requests extensive permissions, including access to accessibility services and SMS messages. Once installed, PlayPraetor functions as spyware, capturing keystrokes and clipboard activity, and specifically targets banking applications by scanning for them on infected devices. It sends a list of these apps to the attacker's server to steal banking credentials. The fraudulent links are often shared via Meta Ads and SMS messages, making it crucial for users to be cautious with links from these sources. The malicious sites closely resemble legitimate ones, so users should verify the website's spelling and URL. Deceptive advertisements and messages are commonly used to entice users into clicking links that lead to these sites. Users should be skeptical of anything that creates urgency or offers unrealistic deals. Excessive permission requests during app downloads should raise red flags, especially for unnecessary accessibility services. It is recommended to use reputable antivirus software for mobile protection, enable Google Play Protect, and avoid sideloading apps from unofficial sources to prevent potential threats.

AppWizard

September 25, 2024

You may be one of the 11 million people with these infected Android apps

Google's Android operating system has been compromised by a variant of the Necro Trojan malware, which has infiltrated several applications, including modded versions of WhatsApp and Spotify. Kaspersky identified the Necro Trojan, first discovered in 2019, as a significant threat that infects devices through compromised apps, downloads additional malicious payloads, and can enroll devices in subscription services without user consent. Among the affected legitimate apps on the Google Play Store are the Wuta Camera app, with 10 million downloads, and Max Browser, with over 1 million downloads. Both have been removed by Google, and users are advised to uninstall them. The malware has also been found in various modded gaming apps. The attack has primarily affected Android users in Russia, Brazil, and Vietnam, and the number of infected devices may be higher than reported due to unverified downloads.

AppWizard

September 25, 2024

Necro Trojan infiltrates Google Play and Spotify and WhatsApp mods

Modified versions of mobile applications can pose significant risks, particularly due to the resurgence of the Necro Trojan malware, which has infiltrated both popular apps and unofficial counterparts. A Spotify mod called Spotify Plus was found to contain a custom Application subclass that initialized an SDK named adsrun, which communicated with a command-and-control server and transmitted encrypted data. This server provided a link to download a PNG file with a hidden payload, leading to the execution of malicious code. The Necro loader has also been embedded in legitimate applications on Google Play, affecting over 11 million Android devices. Infected apps include the Wuta Camera app, downloaded over 10 million times, starting from version 6.3.2.148, and the Max Browser app, with over a million installations, starting from version 1.2.0. Additionally, WhatsApp mods in unofficial channels were found to harbor the Necro loader, utilizing Google’s Firebase Remote Config as a command-and-control mechanism. Other infected applications identified include game mods for Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. The modular architecture of the Necro Trojan allows for flexible updates and the introduction of new malicious modules, enhancing its persistence and evasion capabilities. Various Necro modules serve distinct functions, such as creating network tunnels and displaying intrusive advertisements. The malware has been reported in regions like Russia, Brazil, and Vietnam, with thousands of attacks thwarted globally.

AppWizard

September 24, 2024

New Android trojan malware spotted, potentially infected over 10 million devices

Recent findings from Kaspersky reveal the emergence of Necro Trojan malware in popular Android applications, posing significant risks such as unauthorized access to personal data and online fraud. Despite Google's security measures, cybercriminals exploit vulnerabilities in the Android framework. Affected apps include Benqu's Wuta Camera, with over 10 million downloads, and the now-removed Max Browser, which had one million downloads. Modified versions of apps like WhatsApp, Spotify, and Minecraft have also been compromised. The Necro Trojan aims to take control of infected devices, executing harmful actions without user consent, including running malicious code and facilitating subscription fraud. Users are advised to uninstall suspicious apps, run antivirus scans, change critical passwords, and enable the Play Store's Play Protect feature for ongoing protection.

AppWizard

September 24, 2024

Android users, here’s why you should delete these apps immediately – Times of India

Over 11 million Android devices have been infected by the Necro trojan malware, which has spread through unofficial modified applications and even official apps on the Google Play Store. The malware can download additional components, turning infected devices into tools for adware, subscription fraud, and proxy servers. Two specific apps, Wuta Camera and Max Browser, have been highlighted for their role in the malware's distribution, with Wuta Camera having around 10 million downloads and Max Browser over a million. Users are advised to remove older versions of Wuta Camera and uninstall Max Browser. Modified versions of popular apps like Spotify Plus, WhatsApp, and Minecraft have also been compromised. To protect against malware, users should download apps only from official sources, ensure Google Play Protect is activated, review app ratings and feedback, and use antivirus software to scan for infections.

AppWizard

September 24, 2024

These Popular Android Apps Might Be Infected With the Necro Trojan

Recent findings indicate that certain Google Play apps and unofficial modifications of popular applications are being exploited to spread the Necro trojan malware, which can log keystrokes, steal sensitive information, install additional malware, and execute remote commands. The Necro trojan, first identified in 2019, was previously found in the PDF maker app CamScanner. A new version has been detected in the Wuta Camera app and Max Browser on the Google Play Store, both of which have since been removed by Google. Unofficial 'modded' versions of popular apps like Spotify and WhatsApp, often available on third-party websites, are also spreading the malware. These modified apps can contain malicious SDKs that trigger the trojan payload upon user interaction. The malware can download files, install applications, and subscribe users to paid services without consent. Users are advised to be cautious when downloading apps from third-party sources.

AppWizard

September 24, 2024

If you have any of these infected apps on your Android phone, they must be uninstalled now

The Necro Trojan malware has targeted Android users by infiltrating applications on the Play Store, including WhatsApp and Spotify. It uses steganography to hide malicious payloads, displaying ads in invisible windows, draining battery life, slowing device performance, and causing overheating. It can also enroll users in unwanted paid subscriptions and download arbitrary JavaScript and DEX files. Kaspersky's research found that modified versions of Spotify (Spotify Plus) and apps like Wuta Camera and Max Browser contained the Necro malware. Wuta Camera had over 10 million downloads before being removed, while Max Browser had over one million downloads. Users are advised to uninstall these apps and any modified versions of WhatsApp or game mods for Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. Kaspersky has blocked over 10,000 Necro attacks in a month, primarily in Russia, Brazil, and Vietnam. Users are encouraged to check their devices for the mentioned apps and to only install applications from official sources.

AppWizard

August 13, 2024

Terrifying Android ‘spy app’ hides itself on your phone and records screen

Cybersecurity experts have identified a mobile spyware application called LianSpy, which targets Android smartphones by stealing confidential data and monitoring user activities while concealing itself on the home screen. Discovered in March 2024, LianSpy has been operational for at least three years, primarily affecting users in Russia but potentially impacting Android users globally. It requires user interaction for full activation, requesting permissions under the guise of legitimate applications. LianSpy can operate with root privileges, allowing it to bypass notifications about microphone or camera usage. Signs of infection on Android devices include being signed out of accounts, persistent pop-up ads, alerts about viruses, decreased device speed, and unexpected changes to browser settings. Users are advised to conduct regular spyware sweeps and keep their operating systems updated to mitigate risks.