Meta has won almost $170m in damages from Israel-based NSO Group, maker of the Pegasus spyware.

Meta has won almost $170m in damages from Israel-based NSO Group, maker of the Pegasus spyware. The ruling comes after a six-year legal case against the company after Meta accused it of misusing its servers to spy on users.

According to the original complaint against NSO Group, filed in October 2019, the spyware vendor used WhatsApp servers to send malware to around 1400 mobile phones. The purpose was to gain access to the messages on those devices, which were typically used by attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.

NSO Group reverse engineered WhatsApp’s software and developed its own software and servers to send messages to victims via the WhatsApp service that contained malware. That malware installed itself on the victims’ smartphones using a zero-click attack, meaning that the victim didn’t have to take any action such as opening an link or even answering a call for the compromise to happen; it was enough simply for the message to arrive.

A judge ruled in December that NSO Group had repeatedly dodged requests to provide its code for review, and granted Meta partial summary judgment over the vendor. That set up conditions for a trial to determine damages that started in late April.

NSO Group reportedly argued that Facebook lost nothing as part of the attack, arguing that it should pay the minimum amount in damages. However, the jury awarded Meta $444,719 in compensatory damages and $167,254,000 in punitive damages.

NSO Group is no stranger to controversy. The US federal government blacklisted it in 2021 for enabling foreign governments to spy on a range of people in acts of “transnational repression”. The same year, investigative website The Pegasus Project alleged that the company targeted over 180 journalists around the world. The European Data Protection Supervisor recommended an EU ban on the technology in 2022, although this has not yet happened.

The ruling drew praise from Amnesty International, which had filed a court brief as part of the case outlining the human rights implications of the attacks on Meta. The organization commented:

> “This decision should serve as a wake-up call to governments to take proactive, concrete steps to regulate the surveillance industry, to enforce safeguards on their surveillance practices, and to comprehensively ban tools that are inherently incompatible with human rights obligations and standards, such as Pegasus,”

One takeaway stands out for our readers: end-to-end encryption is important for privacy, but it is not enough on its own.

As Meta pointed out in its complaint, NSO couldn’t decrypt WhatsApp messages in transit to users because they are encrypted when they’re sent from one device and stay unreadable until they’re decrypted by the receiving device. However, that doesn’t stop someone from reading the messages after they’re decrypted by the receiving device—someone who compromises your smartphone or PC has control over all of the data on it, including those decrypted messages.

For consumers, this means applying more layer of protection in the form of regular updates, security software, and cybersecurity awareness. Never open links, files, or videos from someone you don’t know. Be skeptical even if they’re from someone you do know—we recommend checking with them over a different channel first to ensure it was really them that sent it.

In this case, even that would not have enough, because NSO Group was able to infect phones without the victim even answering the call. Attacks this sophisticated often target people with sensitive roles such as journalists, activists, and government workers. Google has an advanced protection program for people like this, while Apple launched lockdown mode for high-risk users. Facebook has its own initiative.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 WhatsApp hack: Meta wins payout over NSO Group spyware 

The FBI has warned scammers are impersonating the IC3, tricking victims by claiming to be able to recover funds.

The FBI has issued a warning about an ongoing fraud scheme where criminal scammers are impersonating FBI Internet Crime Complaint Center (IC3) employees in order to scam people.

Between December 2023 and February 2025, the FBI received over 100 reports of scams involving people posing as IC3 employees. These scammers contact their victims using various methods, including email, phone calls, social media, and online forums.

One popular lure involves the scammers claiming to have recovered money that the victim has lost, or offering assistance to recovering lost money.

Some scammers create fake profiles of IC3 officials, such as a supposed “Chief Director” named “Jaime Quin,” to lend credibility to their claims. This persona is also active on social media, as some victims pointed out.

This “Quin” engages with victims via Telegram, telling them their funds have been recovered and can be returned, but only after gaining access to more personal and financial data. Of course, that data will then be used for further fraud.

Other recovery scammers will ask you to pay for their services up front or ask you to buy a “tool” they need for their work.

> “As soon as you are ready to pay for the extractor software I will send you the Bitcoin wallet address you are to make payment so that we cab purchase the extractor software immediately and help you recover your funds back to you.”

Besides other direct payments, called recovery fees, processing fees, tax clearance, or compliance charges, the scammers will typically try to get hold of:

*   Financial information like credit card details, bank account numbers, cryptocurrency wallet addresses, and private keys.
*   Personal information like social security numbers, driver’s licenses or passports, login credentials, and answers to security questions.

**How to recognize these scams**

Scammers rely on the fact that victims of fraud are desperate. Here are some signs to look out for:

*   **Spoofed email addresses**: Emails may appear to come from legitimate IC3 domains, such as support@ic3-gov.org, which closely resemble official addresses. Always check the sender’s email address for inconsistencies or misspellings.
*   **Urgent language**: The messages will often create a sense of urgency, pressuring recipients to act quickly to recover lost funds or avoid penalties.  
*   **Requests for personal information**: Scammers may ask for sensitive data, including Social Security numbers, bank account details, or login credentials. Don’t provide them. Legitimate organizations will not ask for sensitive information via email.
*   **Unsolicited attachments or links**: Emails might contain attachments or links that, when clicked, can install malware or lead to phishing websites. Always check with the source in another way of communication whether they sent you an attachment, and hover over links to see their true destination before clicking.
*   **Report fraudulent and dubious emails**: If you receive a dubious email claiming to be from the IC3, report it directly through the official IC3 website.

**What an IC3 scam mail might look like**

Based on the data we gathered from several sources, we asked an AI to create a mock scam email example.

This is not an actual email, but it does contain all the elements we were able to uncover about the IC3 impersonating scams.

> “From: Jamie Quin j.quin@ic3-recovery.org
> 
> Subject: Recovery of Funds – Immediate Action Required
> 
> Date: April 22, 2025
> 
> To: \[victim’s email address\]
> 
> “Dear \[Full Name\],
> 
> This is to notify you that after a recent audit by the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3), we have identified your case as eligible for full recovery of lost funds stemming from your previous online fraud complaint (Case ID: #IC3-R2471982-Q2).
> 
> We are currently holding $48,762.14 USD in a secured escrow account, which was seized from an international cybercriminal operation. This amount corresponds with the losses you reported and is available for immediate disbursement upon verification.
> 
> To proceed with the recovery process, we require the following for identity confirmation and to ensure legal compliance:
> 
> *   Full Legal Name
> *   Date of Birth
> *   Mailing Address
> *   Government-Issued ID (passport or driver’s license scan)
> *   Bank Account Details for Refund (IBAN or Routing Number)
> 
> Please send this information within 48 hours to prevent forfeiture under Section 45-C of the Electronic Fraud Recovery Act (2023).
> 
> This case is being handled with the utmost confidentiality by Jamie Quin, Chief Director, IC3 Bureau of Financial Recovery. You are advised not to discuss this matter with third parties to avoid compromising the investigation.
> 
> If you have any questions, contact my secure line at +1 (202) 555-8231 or reply directly to this email.
> 
> Sincerely,
> 
> Jamie Quin
> 
> Chief Director – Internet Crime Complaint Center
> 
> Federal Bureau of Investigation
> 
> Email: j.quin@ic3-recovery.org
> 
> Phone: +1 (202) 555-8231
> 
> CONFIDENTIAL – FOR RECIPIENT ONLY”

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 FBI issues warning as scammers target victims of crime 

A relatively new app called Raw that aims to rewrite the rules of dating is the latest to trip over its coattails by exposing user data to anyone who asked for it.

Any app that hands over user data is a concern, but leaky dating apps are especially worrying given the sensitivity of the data involved. A relatively new app called Raw that aims to rewrite the rules of dating is the latest to trip over its coattails by exposing user data to…well, anyone who asked for it.

Launched in 2023, Raw is a dating app that aims to solve some of the traditional problems in online dating, including fake or egregiously touched-up photos, and ghosting (where one person goes silent on each other). The company’s app shares user locations and asks them to post daily photos of themselves to create a more authentic matching experience.

The service collects customer data including what you’d expect for a dating app, such as name, birth date, gender identity, and photos, along with your geolocation and IP address. It stores at least some of its data on servers in the US.

Its privacy policy tells people that it uses end-to-end encryption, or, according to its GenZ-speak on its consumer FAQ:

> “Your information is cloaked in encryption and guarded like a princess in a castle by our devs. We don’t sell or share your info in any way – your privacy is a promise we don’t break.”

That text is in all caps on the site so the company’s intentions must be deadly serious, but unfortunately it didn’t follow through according to TechCrunch, which did some impressive sleuthing. The news site ran a copy of the app on a virtualized Android device, which is a copy of the Android operating system running in software. It created a new user account on the app, and watched what happened when another copy of the app requested that user’s profile data. The publication saw the server return the profile data without requiring any authentication.

Like most online services, Raw answers requests for data via an application programming interface (API). This is a service designed for software (in this case, its smartphone app) to request user profile data from its servers. The app does that by sending an 11-digit user ID to an online address.

TechCrunch worked out that anyone could grab information from a profile by accessing the API in a browser, and all they need is the 11-digit user ID. They could also vacuum lots of peoples’ data _en masse_ by just changing the user ID numbers.

Raw hadn’t mentioned the issue on its site at the time of writing. CEO Marina Anderson told TechCrunch that the issue had been resolved and that regulators had been notified. The news site also reported that she hadn’t arranged for a third-party audit for the app.

The company has ambitions beyond better matches. It is planning to release a wearable device called the Raw Ring, with sensors that read wearers’ vital signs and an audio tracker that listens to them. Raw is marketing the Black Mirror-esque device as an anti-infidelity tool that “analyzes voice and emotional cues for changes that tell the real story”. The sign-up button to register your interest in the device urges you to “Join the Flirt-Free Zone”.

This idea gives us the chills even without the data leak, as there’s a long, dark history of surveillance tech online that those in controlling relationships can use to monitor their partners. Not only that, there are also many cases of such apps exposing peoples’ sensitive data.

The Raw Ring, which stores its data in the cloud, promises end-to-end data encryption, although the TechCrunch story gives us pause. We wonder how many people will wear this willingly after the company’s technological faux-pas?

We mailed Anderson and Raw with these and other questions. If they reply we’ll update this story.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 &#8220;Your privacy is a promise we don&#8217;t break&#8221;: Dating app Raw exposes sensitive user data 

Google has patched 47 Android vulnerabilities in its May update, including an actively exploited FreeType vulnerability.

Google has patched 47 vulnerabilities in Android, including one actively exploited zero-day vulnerability in its May 2025 Android Security Bulletin.

Zero-days are vulnerabilities that are exploited before vendors have a chance to patch them—often before they even know about them.

The May updates are available for Android 13, 14, and 15. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

If your Android phone shows patch level 2025-05-05 or later then you can consider the issues as fixed. The difference with patch level 2025-05-01 is that the higher level provides all the fixes from the first batch and security patches for closed-source third-party and kernel subcomponents, which may not necessarily apply to all Android devices.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

**The zero-day**

The actively exploited zero-day patched with this update was flagged by Facebook in March and found in the FreeType library. FreeType is an open-source software library that Android devices use to display text by rendering fonts. In essence, it turns font files into the letters and characters that you see on your screen. It is designed to be small, fast, and flexible, supporting many font formats and used widely across billions of devices and applications.

The vulnerability, tracked as CVE-2025-27363, allows attackers to execute remote code (RCE) by exploiting how FreeType processes certain TrueType GX and variable font files. Because FreeType mishandles values in the device’s memory, it creates an out-of-bounds write vulnerability. When a program accesses memory outside its allocated area—either by reading or writing beyond the bounds—it can cause crashes, run arbitrary code, or expose sensitive information. This happens when the data size exceeds the allocated memory, when data writes target incorrect memory locations, or when the program miscalculates data size or position.

FreeType versions newer than 2.13.0 fix this vulnerability. Since FreeType operates as a native library embedded within system components that render fonts, typical Android users cannot easily check which version their device uses. Therefore, the best defense is to install the latest system updates and run active anti-malware protection.

Facebook warned that attackers “may have exploited the vulnerability in the wild,” and Google confirmed the vulnerability “may be under limited, targeted exploitation,” though neither disclosed further details.

It’s reasonable to assume that simply opening a document or app containing a malicious font could compromise your device—without requiring any additional user action or permissions.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android fixes 47 vulnerabilities, including one zero-day. Update as soon as you can! 

This week on the Lock and Code podcast, we speak with Emanuel Maiberg and Jason Koebler about Overwatch, an AI chatbot tool sold to US police.

_This week on the Lock and Code podcast_…

“Heidi” is a 36-year-old, San Francisco-born, divorced activist who is lonely, outspoken, and active on social media. “Jason” is a shy, bilingual teenager whose parents immigrated from Ecuador who likes anime, gaming, comic books, and hiking.

Neither of them is real. Both are supposed to fight crime.

Heidi and Jason are examples of “AI personas” that are being pitched by the company Massive Blue for its lead product, Overwatch. Already in use at police departments across the United States, Overwatch can allegedly help with the identification, investigation, and arrest of criminal suspects.

Understanding exactly how the technology works, however, is difficult—both Massive Blue and the police departments that have paid Massive Blue have remained rather secretive about Overwatch’s inner workings. But, according to an investigation last month by 404 Media, Overwatch is a mix of a few currently available technologies packaged into one software suite. Overwatch can scan social media sites for alleged criminal activity, and it can deploy “AI personas”—which have their own social media accounts and AI-generated profile pictures—to gather intelligence by chatting online with suspected criminals.

According to an Overwatch marketing deck obtained by 404 Media, the software’s AI personas are “highly customizable and immediately deployable across all digital channels” and can take on the personalities of escorts, money launderers, sextortionists, and college protesters (who, in real life, engage in activity protected by the First Amendment).

Despite the variety of applications, 404 Media revealed that Overwatch has sparked interest from police departments investigating immigration and human trafficking. But the success rate, so far, is non-existent: Overwatch has reportedly not been used in the arrest of a single criminal suspect.

Today, on the Lock and Code podcast with host David Ruiz, we speak with 404 Media journalists and co-founders Emanuel Maiberg and Jason Koebler about Overwatch’s capabilities, why police departments are attracted to the technology, and why the murkiness around human trafficking may actually invite unproven solutions like AI chatbots.

 ”Nobody is going to buy that—that if you throw an AI chatbot into the mix, that’s somehow going to reduce gun crime in Americ,” Maiberg said. “But if you apply it to human trafficking, maybe somebody is willing to entertain that because, well, what is the actual problem with human trafficking? Where is it actually happening? Who is getting hurt by it? Who is actually committing it?”

He continued:

> “Maybe there you’re willing to entertain a high tech science fiction solution.”

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 The AI chatbot cop squad is here (Lock and Code S06E09) 

A list of topics we covered in the week of April 27 to May 3 of 2025

May 2, 2025 - Passwords are becoming things of the past. Passkeys are more secure, easier to manage, and speed up the log in process

May 1, 2025 - Researchers found a set of vulnerabilities that puts all devices leveraging Apple's AirPlay at risk.

May 1, 2025 - These 3 cybersecurity threats may not be the most sophisticated, but they're the most effective—and serious—threats for small businesses.

May 1, 2025 - Cybercriminals are having less success targeting end-user technology with zero-day attacks, said Google's security team this week.

April 30, 2025 - Fake emails pretending to come from the US Social Security Administration try to get targets to install ScreenConnect for remote access.

 A week in security (April 27 &#8211; May 3) 

Passwords are becoming things of the past. Passkeys are more secure, easier to manage, and speed up the log in process

And we agree. If there is a cybersecurity themed day that we would like to get rid as soon as possible it’s world password day. Sorry, old friend, but you’re outdated, and it looks like your days are numbered. Let’s switch to passkeys.

To quote Microsoft:

> “As the world shifts from passwords to passkeys, we’re excited to join the FIDO Alliance in leaving World Password Day behind to celebrate the very first World Passkey Day.”

In 2013, Intel introduced World Password Day to remind people of the importance of strong passwords. But over time, the number of passwords we use, and the necessary strengths have grown so much that the system has become practically unusable without a password manager. So, only a few years later, Microsoft introduced Windows Hello, a new way for users to securely sign in to their accounts with their face, fingerprint, or PIN.

For several good reasons we want to say goodbye to passwords, especially for the important sites and services. Passwords are:

*   Hard to create
*   Easy to forget
*   Often reused across sites
*   Vulnerable to hacking techniques like brute-force attacks and phishing.

**The alternative: passkeys**

Passkeys are an alternative, more modern authentication method designed to replace passwords with a safer, simpler alternative. Despite their clear advantages, many people hesitate to switch to passkeys due to unfamiliarity and misconceptions. This blog post will try to explain what passkeys are, how to use them, and why they are better than passwords, helping you embrace this next step in online security.

A passkey is a digital credential that replaces traditional passwords by using cryptographic keys stored locally, and securely, on your device, such as your phone or computer.

At your demand, a program on your device will create a passkey automatically when you set up an account or enable a passkey login. Basically, it’s a unique key that identifies you without ever leaving your device.

When you log in with a passkey, your device proves you are the legitimate user by using the passkey to solve a challenge without actually providing the passkey itself. As with passwords, it’s a way to prove you know the answer and with that who you are. But the difference is that, unlike passwords, passkeys can’t be stolen by fake or malicious websites.

OK. I heard some sighs in the back from the I-know-this-already crowd. There are plenty of technical explanations to be found. Feel free to try explaining cryptographic public and private keys to the people you do tech support for.

Because passkeys are tied to your device and cannot be shared or stolen like passwords, they offer a safer login experience.

**It’s not hard to use passkeys. Really!**

Using passkeys is straightforward and really not that hard:

*   **Create a passkey:** When you sign up or log into a website or app that supports passkeys, the system prompts you to create one. Your device automatically generates the cryptographic keys. This means there is truly no need to struggle with inventing a complicated 12-character password that meets confusing requirements for a site you might never use again. Your device does _all the work_.
*   **Log in:** Instead of typing a password, unlock your device using biometrics or a PIN. Your device then securely verifies your identity and tells the site or service it can trust you, without ever sending sensitive secrets over the internet.
*   **Sync across devices:** You can securely sync passkeys across your devices using encrypted cloud services or password managers. This lets you log in effortlessly from multiple devices and prevents the hassle of losing access if your device goes missing.

Having to create and memorize hundreds of complex, unique passwords is difficult and stressful. Passkeys remove this burden entirely. You don’t need to create anything or remember a lot. The authentication process is as simple as unlocking your device.

And it’s faster. Microsoft has seen that on average passkey sign-ins to their services take only 8 seconds, compared with 69 seconds to sign in using a traditional password and second factor. 

**Common misconceptions**

Many people shy away from using passkeys for the wrong reasons.

*   Your biometrics, like fingerprints or facial scans are not stored externally, the site you’re visiting never gets to see them. They are just meant for your device to verify it’s really you.
*   Using passkeys is not complicated as we explained above. Sure, the theory behind it is, but the user-experience may actually be simpler than password creation and management.
*   You are not losing the extra layer of 2FA security you set up for important sites and services. Passkeys inherently support two-factor authentication (2FA) without extra steps, since possession of your device plus biometric or PIN verification is required.

**There are downsides**

I have to be honest here. Some things are not ideal yet. But as we move forward and more people start using passkeys, these will improve soon enough.

As I hinted earlier, losing your device can pose a problem, since your key got lost along with it, unless you synchronize it. This is a problem that’s actively being worked on.

Many websites and services also don’t support passkeys yet. Developers and service providers are actively working to make passkey adoption smoother and more widespread, so you will see more websites and apps supporting passkeys soon.

Not every passkey system is equal. Due to the history of their development which is still ongoing, there are currently multiple flavors of passkey. These range from device-bound and physical token passkeys (that never leave the device) to synchronized passkeys that offer the option to use a device’s Credential Manager to back up and synchronize passkeys across the user’s other devices. This can confuse or frustrate users who just want the authentication to work, without having to worry about the nuances of the underlying technology. Industry groups (including the FIDO Alliance and W3C) are working on standards, guides, and tools to improve this situation for developers and users.

**Give it a try**

It doesn’t take a lot of effort to convince yourself of the benefits of passkeys.

Passkeys are created on, saved to, and synchronized across devices through a password manager. For example, passkeys created on a website on Chrome on Android are stored to the Google Password Manager by default, and then synchronized to different environments where Google Password Manager is available, such as Chrome on macOS, Windows, Linux, and ChromeOS. It’s up to the user which password manager to store a passkey to or to authenticate a passkey from depending on the environment.

To save a passkey to Google Password Manager, ensure you’re signed into your Google Account on an eligible device (Android, Chrome, or other supported platforms). When prompted by a website supporting passkeys, agree to create a passkey and follow the on-screen instructions.

MacOS allows you to save passkeys either in Google Password Manager or iCloud Keychain if you’re using macOS 13.5 or higher.

*   **Try passkeys today:** Look for websites and apps that offer passkey login options and give them a try. You’ll likely find the experience faster and easier than passwords.
*   **Educate yourself and others:** Share what you learn about passkeys with friends and family, especially those who find passwords confusing or frustrating.
*   **Advocate for passkey support:** Encourage your favorite sites and services to support passkeys to help make the internet safer for everyone.
*   **Use secure device authentication:** Enable biometrics or PINs on your devices to fully benefit from passkey security.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 On world password day, Microsoft says fewer passwords, more passkeys 

Researchers found a set of vulnerabilities that puts all devices leveraging Apple's AirPlay at risk.

Researchers found a set of vulnerabilities in Apple’s AirPlay SDK that put billions of users at risk of their devices being taking over.

AirPlay is Apple’s proprietary wireless technology that allows you to stream audio, video, photos, and even mirror your device’s screen from an iPhone, iPad, or Mac to other compatible devices like Apple TV, HomePod, smart TVs, or speakers. It works over Wi-Fi, so you don’t need cables.

Apple added the necessary updates on April 28 to the March 31 update. The update—iOS 18.4 and iPadOS 18.4—was initially issued on March 31, but the additional security fixes were delivered through Rapid Security Responses, or minor patches that Apple incorporated after the initial release. Rapid Security Response (RSR) is a type of software patch delivering security fixes between Apple’s regular, scheduled software updates.

The good news is if you installed the March 31 update, you should be fine. Otherwise, check manually if any updates are available.

To check if you’re using the latest software version, go to **Settings > General > Software Update**. You want to be on iOS 18.4.1 or iPadOS 18.4.1, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

*   The latest version of macOS is 15.4.1. Learn how to update the software on your Mac and how to allow important background updates.
*   The latest version of tvOS is 18.4.1. Learn how to update the software on your Apple TV.
*   The latest version of watchOS is 11.4. Learn how to update the software on your Apple Watch.
*   The latest version of visionOS is 2.4.1. Learn how to update the software on your Apple Vision Pro.

The AirPlay SDK (Software Development Kit) is a set of programming tools Apple provides to app developers to integrate AirPlay functionality into their apps. Using the AirPlay SDK, developers can add features that allow their apps to stream audio or video content wirelessly to AirPlay-compatible devices. This makes apps “AirPlay-ready” by handling the streaming and control behind the scenes.

Combining vulnerabilities allows an attacker on the local network to potentially take control of devices that support AirPlay—both Apple devices and third-party devices that leverage the AirPlay SDK.

Apple released updates to fix the vulnerabilities on April 29 for members of the Apple MFi Program, who are developers of Apple-compatible accessories or software.

The researchers who found and reported these flaws warn they can be exploited without any user interaction—or with just a single click—to execute remote code. Attackers could also use them for man-in-the-middle interceptions, denial-of-service disruptions, and to bypass access controls and user prompts. On top of that, these vulnerabilities may allow unauthorized access to sensitive data and local files, making them a serious risk that demands immediate attention.

**Technical details**

In total, the researchers responsibly disclosed 23 vulnerabilities to Apple, leading to 17 CVEs being issued. A complete list and description of these CVEs, as well as specific attack scenarios they enable, can be found on their blog.

The most important vulnerabilities are:

CVE-2025-24252: Successful exploitation of the use-after-free vulnerability could allow a remote attacker to execute arbitrary code. When exploited together with CVE-2025-24206, the attacker is able to perform zero-click remote code execution on other vulnerable AirPlay-enabled devices in the same network, without any user interaction. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10.

CVE-2025-24206: Successful exploitation of the vulnerability could allow an attacker to bypass authentication and conduct malicious activities without user interaction when exploited with other vulnerabilities.

CVE-2025-24132: Successful exploitation of the stack-based buffer overflow vulnerability could allow an attacker to perform zero-click remote code execution on vulnerable AirPlay SDK devices and potentially leak sensitive information by eavesdropping.

That the attacker does need to be on the same network, but exploitation require minimal to no interaction of the target.

**Possible protective actions**

These depend very much on the types of devices you are using, so I will try to give some general guidance and the reasons behind them.

*   As we said above, make sure your devices are fully updated
*   Use up-to-date and active malware protection
*   Disable AirPlay if you’re not using it, or set it to **Ask** as a minimum

*   Disable AirPlay Receiver if it is not in use.
*   Be extra careful on public networks. This vulnerability could theoretically spread in airports, offices, hotels, or conferences where many Apple devices are in close proximity. In such cases, avoid using unsecured Wi-Fi.
*   Restrict AirPlay settings: Change the **Allow AirPlay for** to **Current User**. While this does not prevent all of the issues, it does reduce the protocol’s attack surface.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple AirPlay SDK devices at risk of takeover—make sure you update 

These 3 cybersecurity threats may not be the most sophisticated, but they're the most effective—and serious—threats for small businesses.

In an online world filled with extraordinarily sophisticated cyberattacks—including organized assaults on software supply chains, state-directed exploitations of undiscovered vulnerabilities, and the novel and malicious use of artificial intelligence (AI)—small businesses are forced to prioritize a different type of cyberattack: The type that gets through.

Without robust IT budgets or fully staffed cybersecurity departments, small businesses often rely on their own small stable of workers (including sole proprietors with effectively zero employees) to stay safe online. That means that what worries these businesses most in cybersecurity is what is most likely to work against them.

Here are the three biggest cybersecurity threats to small businesses right now. They may sound basic or even crude, but they are the biggest threats precisely because they are so effective.

**1\. Phishing**

In phishing scams, cybercriminals trick people and businesses into handing over sensitive information like credit card numbers or login details for vital online accounts.

Cybercriminals do this by sending messages—like emails and texts—disguised as legitimate communications from major businesses (think Slack, Uber, FedEx, and Google). These messages frequently warn recipients about a problem with their accounts, like a password that needs to be updated, a policy change that requires a login, or a delayed package that has to be approved.

But when victims follow the links within these malicious messages, they are brought to a website that, while appearing genuine, is completely controlled by cybercriminals. Lured in by similar color schemes, company logos, and familiar layouts, victims “log in” to their account by entering their username and password. In reality, those usernames and passwords are delivered directly to cybercriminals on the other side of the website.

In phishing attacks, there never is a genuine problem with a user’s account, and there never is a real request for information from the company. Instead, the entire back-and-forth is a charade.

As devastating as this is, the more complex threat of phishing lies in its adaptability. Whereas early phishing scams arrived almost entirely through emails, modern phishing scams can reach victims through malicious websites, text messages, social media, and even mobile app downloads.

In 2024, Malwarebytes found more than 22,800 phishing apps on Android, according to the recent 2025 State of Malware report. Disguised as apps such as TikTok, Spotify, and WhatsApp, these Android apps can trick victims into handing over their associated usernames and passwords when asking them to login.

Understandably, some small business owners might discount the threat of losing their login credentials to consumer tools like Spotify and TikTok. But here, the threat of phishing is compounded by another enormous problem in cybersecurity, which is that too many individuals and businesses reuse passwords across multiple accounts. That means that email login credentials that were successfully stolen in a phishing scam could also provide access to a small business’s financial accounts, payroll services, and even tax info.

Further, if a hacker were to use their wrongful access to steal customer data, then a small business might also have to front the cost for sending out data breach notifications, per their state’s regulations.

**How to protect your business:**

*   Use unique, strong passwords for each online account and store and create these passwords using a password manager
*   Enable “multifactor authentication” on all important business accounts so that hackers who steal passwords cannot access accounts with only usernames and passwords
*   Do not click on links from unknown senders
*   If you’re asked for login information through an email or online message, do _not_ input your login info in the email or through whatever link you’re directed towards. Instead, navigate to the site directly.

Social media is not just a vital tool for promoting many small businesses, it can often be the entire business itself.

YouTube video creators, Twitch streamers, and lifestyle influencers on TikTok and Instagram are effectively small business owners. They make a product and they earn revenue just like many online businesses—through ads and sponsored partnership deals.

If any of these social media business owners lost their login credentials through a phishing scam or data breach, they could potentially lose access to their entire operation.

In 2023, famous YouTube tech personality Linus Sebastian suffered a hack of three different YouTube channels associated with his company, Linus Media Group. The hackers hijacked the channels to spread cryptocurrency scams, while deleting some of the group’s old videos in the process. The attack was largely reminiscent of a 2022 YouTube account hack that repurposed a 2018 interview with Apple CEO Tim Cook to fool viewers into following a separate cryptocurrency scam.

Both incidents reveal the real threat to small businesses everywhere.

Social media account hacks are not only a risk to content creators—they’re a risk to any business with a legitimate online audience. Once scammers have control of any business’s social media account, they can send fraudulent messages to people on the business’s behalf and promote online scams that could tarnish the business’s reputation for years to come. Hackers could even swipe sensitive information before access is restored.

While social media hacks are often the byproduct of successful phishing attacks, cybercriminals can also gain wrongful access to a social media account through separate data breaches.

Hackers frequently buy usernames and passwords on the dark web from prior data breaches. They then use those login credentials on a variety of online accounts that belong to the same owner—entering the username and password for, say, a breached LinkedIn account into the username and password fields for QuickBooks, Shopify, and Hubspot. When people and businesses reuse passwords across accounts, hackers find an easy way in.

**How to protect your business:**

*   Use unique, strong passwords for each account and store and create these passwords using a password manager
*   Enable “multifactor authentication” on all important business accounts so that hackers who steal passwords cannot access accounts with only usernames and passwords
*   Avoid phishing attacks by refusing to click on links from unknown senders
*   Do not download any attachments from unknown senders or from unexpected emails. These attachments could contain malware that steals passwords, data, and multifactor authentication codes.

**3\. Ransomware**

Ransomware is more than a cyberthreat—it is an existential one, threatening to lock down computer systems, remove vital data, and waste potentially hundreds of thousands of dollars in recovery.

But because most ransomware news coverage focuses on major, multibillion dollar corporations that get hit with disruptive attacks, many boutique businesses might assume that ransomware gangs would never bother with a small outfit like theirs.

In reality, ransomware gangs do not care about the size, budget, or resources of their victims, because ransomware itself has become increasingly easy to scale and deploy.

Modern gangs operate on a “Ransomware-as-a-Service” model, where ransomware developers lease out their malicious software to “affiliates” who, if successful in launching an attack, return a small portion of their ill-gotten gains back to the ransomware developers at the top. LockBit, which was once the most active ransomware gang in history, had at least 194 affiliates doing its dirty work.

While LockBit most frequently attacked large conglomerates and governments, another Ransomware-as-a-Service group called Phobos was more than happy to prey on smaller organizations.

In 2024, when the US Department of Justice charged a Russian national named Evgenii Ptitsyn for his alleged involvement into running Phobos, its indictment revealed that one of the ransomware gang’s affiliates allegedly extorted a Maryland-based healthcare provider out of just $2,300. Other victims cited in the indictment included a marketing and data analytics firm in Arizona, a Connecticut public school system, and an automotive company out of Ohio.

According to data analyzed by Malwarebytes’ business unit ThreatDown, these smaller victims were the bread and butter of Phobos. Unlike other ransomware gangs that demanded up to $1 million or more from each victim in 2023, Phobos operators demanded an average of $1,719 from victims, with a median demand of just $300.

**How to protect your business:**

*   **Block common forms of entry.** Patch known vulnerabilities in internet-facing software and disable or harden the login credentials for remote work tools like RDP ports and VPNs.
*   **Prevent intrusions and stop malicious encryption.** Stop threats early before they can infiltrate or infect your endpoints. Use always-on cybersecurity software that can prevent exploits and malware used to deliver ransomware.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated an outbreak and stopped a first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

 The 3 biggest cybersecurity threats to small businesses 

Cybercriminals are having less success targeting end-user technology with zero-day attacks, said Google's security team this week.

Cybercriminals are having less success targeting end-user technology with zero-day attacks, said Google’s security team this week. While most attacks do still target personal technology like smartphones and browsers, the focus is moving increasingly to enterprise tech.

Zero-day vulnerabilities are those that are exploited before vendors have a chance to patch them – and often before they even know about them. Attackers using these flaws to compromise systems are still primarily espionage groups, says the Google Threat Intelligence Group in its annual analysis of zero-day exploits.

Government-backed groups and customers of commercial surveillance vendors (that’s sanitized corporate-speak for spyware) were responsible for over half the attacks that the researchers were able to attribute. Spyware continues to be a much bigger factor in zero-day exploits today than it was before 2023.

The Chinese government exploited five zero-day flaws that Google knows of, while for the first time North Korea equaled that number. Spyware customers used eight zero-day exploits.

But state and private espionage-focused attackers aren’t the only ones using zero-days. Google also sees crime groups using them to come after your data. However, as it points out, some of these groups involved in cybercrime also maintain strong links to the Russian government.

While the number of zero-day exploits that Google identified dipped to 75 from last year’s 98, the trend is still moving slowly upward, the company says. In 2022, it found 63 zero-day exploits, and the year before that it was 95, but 2019 and 2020 both showed just 31 zero-day exploits each.

Vendors are also doing better at protecting at least some of their products, found the research. Google said attackers are having less success targeting browsers and mobile operating systems. Attackers traditionally use these technologies to get at consumer users.

Perhaps that increased protection is one reason behind another key fact: The proportion of zero-day exploits targeting end-user technologies was lower this year at 56% than those targeting enterprise tech. That’s a consistently falling number; 90.32% of zero-day exploits targeted end-user tech in 2019, followed by 70.97%, 74.74%, 63.49%, and 63.27% respectively through 2023.

In particular, exploitation of browsers and mobile devices was far lower this year than last. Browsers saw a third fewer zero-day exploits than last year, with most targeting Chrome due to its popularity, while mobile device zero-day attacks halved.

This doesn’t mean attackers won’t continue trying their best to infiltrate end-user products. “Phones and browsers will almost certainly remain popular targets, although enterprise software and appliances will likely see a continued rise in zero-day exploitation,” Google said.

When spyware attackers do target mobile devices, they will chain together multiple vulnerabilities in complex attacks on mobile devices to get around mobile vendors’ security practices.

As Google points out, it’s difficult to separate attacks against enterprise and end-user technology because enterprises often use these technologies too. Nevertheless, it has seen a 9% rise in zero-day attacks using purely enterprise tech, namely security and network products. They comprised 60% of all zero-day attacks on enterprise technologies, the company said.

What does all this mean for you? Just keep on doing what you already should be, applying basic cyber hygiene when using your devices. Admittedly, keeping your system up to date won’t help against a zero-day, but patching quickly could stop attacks reaching you if vendors see them and issue updates in time. In addition, some technologies use heuristics to try and stop software they haven’t seen before which look suspicious. And of course, avoiding opening links and files that you’re not sure about can stop zero-day exploits hitting your device in the first place.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Source

Malwarebytes