Cybersecurity researchers are calling attention to a new shift in the Android malware landscape where dropper apps, which are typically used to deliver banking trojans, to also distribute simpler malware such as SMS stealers and basic spyware.
These campaigns are propagated via dropper apps masquerading as government or banking apps in India and other parts of Asia, ThreatFabric said in a report

Cybersecurity researchers are calling attention to a new shift in the Android malware landscape where dropper apps, which are typically used to deliver banking trojans, to also distribute simpler malware such as SMS stealers and basic spyware.

These campaigns are propagated via dropper apps masquerading as government or banking apps in India and other parts of Asia, ThreatFabric said in a report last week.

The Dutch mobile security firm said the change is driven by recent security protections that Google has piloted in select markets like Singapore, Thailand, Brazil, and India to block sideloading of potentially suspicious apps requesting dangerous permissions like SMS messages and accessibility services, a heavily abused setting to carry out malicious actions on Android devices.

"Google Play Protect's defences, particularly the targeted Pilot Program, are increasingly effective at stopping risky apps before they run," the company said. "Second, actors want to future-proof their operations."

"By encapsulating even basic payloads inside a dropper, they gain a protective shell that can evade today's checks while staying flexible enough to swap payloads and pivot campaigns tomorrow."

ThreatFabric said that while Google's strategy ups the ante by blocking a malicious app from being installed even before a user can interact with it, attackers are trying out new ways to get around the safeguards -- an indication of the endless game of whack-a-mole when it comes to security.

This includes designing droppers, keeping in mind Google's Pilot Program, so that they don't seek high-risk permissions and serve only a harmless "update" screen that can fly past scanning in the regions.

But it's only when the user clicks the "Update" button that the actual payload gets fetched from an external server or unpacked, which then proceeds to seek the necessary permissions to fulfil its objectives.

"Play Protect may display alerts about the risks, as a part of a different scan, but as long as the user accepts them, the app is installed, and the payload is delivered," ThreatFabric said. "This illustrates a critical gap: Play Protect still allows risky apps through if the user clicks Install anyway, and the malware still slips through the Pilot Program."

One such dropper is RewardDropMiner, which has been found to serve along with spyware payloads a Monero cryptocurrency miner that can be activated remotely. Recent variants of the tool, however, no longer include the miner functionality.

Some of the malicious apps delivered via RewardDropMiner, all targeting users in India, are listed below -

*   PM YOJANA 2025 (com.fluvdp.hrzmkgi)
*   °RTO Challan (com.epr.fnroyex)
*   SBI Online (com.qmwownic.eqmff)
*   Axis Card (com.tolqppj.yqmrlytfzrxa)

Other dropper variants that avoid triggering Play Protect or the Pilot Program include SecuriDropper, Zombinder, BrokewellDropper, HiddenCatDropper, and TiramisuDropper.

When reached for comment, Google told The Hacker News it has not found any apps using these techniques distributed via the Play Store and that it's constantly adding new protections.

"Regardless of where an app comes from – even if it's installed by a 'dropper' app – Google Play Protect helps to keep users safe by automatically checking it for threats," a spokesperson said.

"Protection against these identified malware versions was already in place through Google Play Protect prior to this report. Based on our current detection, no apps containing these versions of this malware have been found on Google Play. We're constantly enhancing our protections to help keep users safe from bad actors."

The development comes as Bitdefender Labs has warned of a new campaign that's using malicious ads on Facebook to peddle a free premium version of the TradingView app for Android to ultimately deploy an improved version of the Brokewell banking trojan to monitor, control, and steal sensitive information from the victim's device.

No less than 75 malicious ads have been run since July 22, 2025, reaching tens of thousands of users in the European Union alone. The Android attack wave is just one part of a larger malvertising operation that has abused Facebook Ads to also target Windows desktops under the guise of various financial and cryptocurrency apps.

"This campaign shows how cybercriminals are fine-tuning their tactics to keep up with user behavior," the Romanian cybersecurity company said. "By targeting mobile users and disguising malware as trusted trading tools, attackers hope to cash in on the growing reliance on crypto apps and financial platforms."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Android Droppers Now Deliver SMS Stealers and Spyware, Not Just Banking Trojans

WhatsApp has patched a vulnerability that was used in conjunction with an Apple vulnerability in zero-click attacks.

WhatsApp says it has issued an update to patch a vulnerability that has been used in conjunction with an Apple vulnerability to target specific users and compromise their devices.

Reportedly, attackers used this exploit against dozens of WhatsApp users, and WhatsApp has notified those affected:

> “Our investigation indicates that a malicious message may have been sent to you through WhatsApp and combined with other vulnerabilities in your device’s operating system to compromise your device and the data it contains, including messages.
> 
>   
> While we don’t know with certainty that your device has been compromised, we wanted to let you know out of an abundance of caution so you can take steps to secure your device and information.”

WhatsApp advised the affected users to perform a full factory reset of their phone in order to make sure they are rid of the malware.

> “We’ve made changes to prevent this specific attack from occurring through WhatsApp. However, your device’s operating system could remain compromised by the malware or targeted in other ways.
> 
>   
> To best protect yourself, we recommend a full device factory reset. We also strongly urge you to keep your devices updated to the latest version of the operating system, and ensure that your WhatsApp app is up to date.”

According to the Amnesty International Security Lab, the vulnerability was part of a zero-click attack against both iPhone and Android users. A zero-click attack is a type of attack which allows the cybercriminals to break into devices or apps without the victim needing to click, tap, or respond to anything. Unlike classic scams that rely on tricking someone into clicking a sketchy link, zero-click threats can land on a device simply because an app receives a message or notification crafted to exploit a hidden flaw.

**Technical details**

The zero-click attack required two vulnerabilities.

For iOS and Mac users these vulnerabilities were tracked as CVE-2025-43300 and lie in the Image I/O framework, the part of macOS and iOS that an app needs to open or save a picture. The problem came from an out-of-bounds write. Apple stepped in and tightened the rules with better bounds checking, closing off the hole so attackers can no longer use it.

An out-of-bounds write vulnerability means that the attacker can manipulate parts of the device’s memory that should be out of their reach. Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers can write code to a part of the memory where the system executes it with permissions that the program and user should not have.

In this case, an attacker could construct an image to exploit the vulnerability.  Processing such a malicious image file would result in memory corruption. Attackers can exploit memory corruption flaws to crash important processes or execute their own code.

The second vulnerability, CVE-2025-55177 for WhatsApp users, is caused by incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 and could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.

**What to do**

The infection chain described in the security advisories from Apple and WhatsApp relies on two components: an Apple vulnerability (CVE-2025-43300) in the Image I/O framework and a WhatsApp vulnerability (CVE-2025-55177) that allowed the hijacking of devices by synchronizing messages.

Attackers exploited the Apple ImageIO bug via malicious image files, which is dangerous because this core library is used by multiple apps (not just WhatsApp) for opening and previewing pictures. In affected WhatsApp versions for iOS and Mac, the sync message bug could trigger arbitrary URL processing, creating a powerful combo for chaining exploits and compromising devices without any user action.

While Android users were mentioned among potential targets in advanced spyware campaigns reported by Amnesty, the most severe zero-click risk described applies only to Apple devices. For Android, the WhatsApp vulnerability may have exposed users to attacks, but not via the same chained infection vectors. As always, updating WhatsApp and enabling advanced security features (like Google Advanced Protection on Android) is highly recommended. So is using security protection on your devices.

If you’ve received one of the notifications from WhatsApp, we’d advise you to follow the instructions.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 WhatsApp fixes vulnerability used in zero-click attacks 

This guide gives step-by-step instructions how how to enable two-step verification for WhatsApp on Android, iOS, and iPadOS

Two step verification is the name Meta uses for what is generally referred to as Two-factor authentication (2FA). 2FA is not fool-proof, but it is one of the best ways to protect your accounts from hackers.

It adds an extra step when logging in, which is a small extra effort for you, but it dramatically boosts your security. WhatsApp 2FA, called Two-Step Verification, requires you to enter a PIN code when registering your phone number on a new device, stopping hackers even if they have your SMS code.

Here’s how to enable 2FA on WhatsApp for Android and iOS.

1.  Open WhatsApp.
2.  Go to **Settings** (you’ll see it if you tap the three dots, usually located in the upper right corner).
3.  Tap **Account**.
4.  Select **Two-step verification**.
5.  Tap **Enable**.
6.  Create a unique 6-digit PIN and confirm it.
7.  Optionally, you can add your email address to recover your PIN if you forget it.
8.  Tap **Save**.

Now, whenever you verify your phone number on WhatsApp and every so often when you open the app, you’ll need the 6-digit PIN.

**How to set up two-step verification for WhatsApp on iPhone or iPad**

1.  Open the WhatsApp app on your iPhone or iPad.
2.  Tap on **Settings** (the gear icon)
3.  Tap on **Account**.
4.  Select **Two-step verification**.
5.  Tap on **Turn on** or **Set up PIN** to begin.
6.  Enter a six-digit PIN of your choice, then enter it again to confirm it.
7.  Optionally, you can add your email address to recover your PIN if you forget it.
8.  Tap **Save** or **Done**.
9.  If you added an email, enter the verification code sent to that email to complete the process.

Now, whenever you verify your phone number on WhatsApp and every so often when you open the app, you’ll need the 6-digit PIN.

****Enable it today if you can****

Even the strongest password isn’t enough on its own. 2FA means a thief must have access to your an additional factor to be able to log in to your account, whether that’s a code on a physical device or a security key. In addition to your password, this makes an account takeover much harder.

We recommend you set up 2FA on all your important accounts, including messaging and social media accounts. Do it today if you get a chance: It only takes a few minutes but can save you from hours or even days of headaches later. It’s currently the best password advice we have.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 How to set up two-step verification on your WhatsApp account 

A list of topics we covered in the week of August 25 to August 31 of 2025

August 28, 2025 - The FCC has disconnected over a thousand voice operators from the public telephone network for not doing their part to stop robocallers.

August 28, 2025 - Anthropic—maker of AI coding chatbot Claude—says cybercriminals have abused Claude to automate and orchestrate sophisticated attacks.

August 27, 2025 - To reduce the number of harmful apps targeting Android users, Google is making some changes.

August 27, 2025 - TheTruthSpy is at it again. A security researcher has discovered a flaw in the Android-based stalkerware that allows anyone to compromise any record in the system.

August 27, 2025 - Researchers have found 77 malicious apps in the official Google Play Store, ranging from adware to state of the art banking Trojans.

 A week in security (August 25 &#8211; August 31) 

WhatsApp has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks.
The vulnerability, CVE-2025-55177 (CVSS score: 8.0), relates to a case of insufficient authorization of linked device synchronization messages. Internal researchers on the

WhatsApp has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks.

The vulnerability, **CVE-2025-55177** (CVSS score: 8.0), relates to a case of insufficient authorization of linked device synchronization messages. Internal researchers on the WhatsApp Security Team have been credited with discovering and rerating the bug.

The Meta-owned company said the issue "could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target's device."

The flaw affects the following versions -

*   WhatsApp for iOS prior to version 2.25.21.73
*   WhatsApp Business for iOS version 2.25.21.78, and
*   WhatsApp for Mac version 2.25.21.78

It also assessed that the shortcoming may have been chained with CVE-2025-43300, a vulnerability affecting iOS, iPadOS, and macOS, as part of a sophisticated attack against specific targeted users.

CVE-2025-43300 was disclosed by Apple last week as having been weaponized in an "extremely sophisticated attack against specific targeted individuals."

The vulnerability in question is an out-of-bounds write vulnerability in the ImageIO framework that could result in memory corruption when processing a malicious image.

Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, said WhatsApp has notified an unspecified number of individuals that they believe were targeted by an advanced spyware campaign in the past 90 days using CVE-2025-55177.

In the alert sent to the targeted individuals, WhatsApp has also recommended performing a full device factory reset and keeping their operating system and the WhatsApp app up-to-date for optimal protection. It's currently not known who, or which spyware vendor, is behind the attacks.

Ó Cearbhaill described the pair of vulnerabilities as a "zero-click" attack, meaning it does not require any user interaction, such as clicking a link, to compromise their device.

"Early indications are that the WhatsApp attack is impacting both iPhone and Android users, civil society individuals among them," Ó Cearbhaill said. "Government spyware continues to pose a threat to journalists and human rights defenders."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

WhatsApp Issues Emergency Update for Zero-Click Exploit Targeting iOS and macOS Devices

A Facebook malvertising campaign is spreading the Brokewell spyware to Android users via fake TradingView ads. The malware…

A Facebook malvertising campaign is spreading the Brokewell spyware to Android users via fake TradingView ads. The malware steals crypto and personal data.

Cybersecurity researchers at Bitdefender Labs have discovered a new malicious ad campaign (malvertising) on Facebook that is actively spreading a notorious Android spyware against unsuspecting users.

The research, shared with _Hackread.com_, reveals that the campaign tricks victims into downloading Brokewell spyware, which has been operational since at least early 2024. In one previous case reported in April 2024, the Brokewell spyware was spotted spreading via Fake Chrome Updates.

****How the Ads Find Their Targets****

Researchers found that this malvertising campaign doesn’t just target a general group of users; it uses the Facebook ad network to specifically target Android users with tailored ads. In just one month, these ads have already been served to tens of thousands of users in the European Union alone, showing how eagerly cyber criminals have been attempting to spread this threat.

The campaign’s modus operandi involves attackers creating advertisements that look like they’re from the legitimate platforms. For example, one company specifically targeted in this malvertising is TradingView, a widely used online trading platform.

As shown in the screenshot below, scammers have used the company’s branding and visuals. These ads promise a high-value item, a free premium app, to trick users into clicking.

Malicious ads which spread BrokeWell malware – Source: Bitdefender Labs

****New Features****

According to researchers, once installed, the malware displays spyware and Remote Access Trojan (RAT) capabilities, suggesting that this is an advanced version of Brokewell.

The malware then requests permissions, often posing as fake update prompts, to gain total control. It can steal cryptocurrencies, bypass two-factor authentication, and even take over a user’s accounts.

It also allows the attackers to record screen activity, log keystrokes, and use the device’s camera and microphone. The malware can even intercept sensitive text messages, including banking and security codes.

All these capabilities show Android spyware is out of control, and as more people rely on smartphones for banking, crypto wallets, and other financial apps, a single compromised device can give hackers access to a person’s entire financial life. Researchers suggest the following security tips to stay protected from such campaigns:

*   Avoid clicking on ads on social media.

*   Check website URLs carefully for fakes.

*   Review app permissions before granting them.

*   Avoid installing apps from unofficial sources (sideloading).

*   Be cautious of ads, even on trusted platforms like Facebook.

Fake Facebook Ads Push Brokewell Spyware to Android Users

The FCC has disconnected over a thousand voice operators from the public telephone network for not doing their part to stop robocallers.

Everyone hates robocalls. However, it’s difficult to track down all the scammers and spammers that make them, so the Federal Communications Commission (FCC) has taken another approach: it just disconnected over a thousand voice operators from the public telephone network for not doing their part to stop the scourge.

This week, the Commission’s Enforcement Bureau removed over 1,200 voice service providers from its Robocall Mitigation Database (RMD). Created in 2020, this database is a ledger with records proving that telephony operators are taking measures to stop robocalls routing their calls through their networks. Removal from the database prevents other operators from taking a service provider’s traffic, effectively cutting it off from the US phone network.

**Shaken and stirred**

There’s a long road leading to this point, starting with the development of the STIR/SHAKEN protocol. Secure Telephone Identity Revisited (STIR) is a standard for ensuring that the caller ID showing up on your phone is legit. Signature-based Handling of Asserted information using toKENs (SHAKEN) is the technical tooling that lets telephony providers use the standard on their network.

Large voice telephony providers had to implement STIR/SHAKEN by June 30 2021 under the TRACED Act of 2019. Smaller providers got an extension. The RMD tracks which providers are using this system.

The Commission has been tightening the screws on companies that didn’t comply with the Act. In December, it announced that it might remove up to 2,411 companies if they couldn’t give a good reason for why they didn’t have up-to-date filings in the database.

On August 6, it began delivering on its promise, removing 185 voice providers from the database after they were found to be an originator or gateway provider for robocalls, or after they didn’t co-operate with the traceback procedures used to trace those calls.

The FCC also has support at a state level. In early August, 51 attorneys general launched Operation Robocall Roundup, which sent letters to 37 voice operators putting them on notice about illegal robocalls using their networks.

According to Commission Chair Brendan Carr:

> “Robocalls are an all-too-common frustration — and threat — to Americans \[sic\] households. The FCC is doing everything in its power to fight back against these malicious and illegal calls. Providers that fail to do their duty when it comes to stopping these calls have no place in our networks. We’re taking action and we will continue to do so.”

**Protection isn’t guaranteed**

This is great, as far as it goes, but STIR/SHAKEN only works on IP-based phone networks (those that use the same protocol that the internet uses to move their digitized voice data around). Legacy phone networks that don’t use IP, such as in some rural areas, can’t use the technology. Those will fade over time, though.

Perhaps more importantly, the STIR/SHAKEN rules apply to US providers only, and it’s cheap for overseas providers to reach you. So overseas robocallers can still get to you easily via non-US operators while spoofing caller IDs.

Finally, STIR/SHAKEN only proves that the number showing up on your phone is the number that’s actually calling. The person using that number could still be a scammer.

So, you still need to do a little legwork of your own to minimize robocalls. Network providers (typically the larger ones) often run their own network analytics to root out robocallers. They frequently bundle such services. You can also set your phone to send all calls from numbers not in your contact list straight to voicemail.

If you use a landline, you can connect call blocking devices to your phone. Those use a variety of tricks, including messages that require a caller to press a specific number before the call goes through. The more action you take at your end, the more likely you are to block out automated nuisances.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 &#8220;No place in our networks&#8221;: FCC hangs up on thousands of voice operators in robocall war 

To reduce the number of harmful apps targeting Android users, Google is making some changes.

To reduce the number of harmful apps targeting Android users, Google has announced that certified Android devices will require all apps to be registered by verified developers in order to be installed.

But this new measure is not just about malware that’s found on the Google Play Store, it’s mainly about sideloaded apps (apps downloaded from outside the official Google Play Store).

Since August 31, 2023, apps on the Play Store already were subject to a D-U-N-S (Data Universal Numbering System) number requirement. Google says this has helped reduce the number of cybercriminals exploiting anonymity to distribute malware, commit financial fraud, and steal sensitive data.

To broaden this success, Google intends to start sending out invitations gradually starting October 2025, before opening it up to all developers in March 2026. In September 2026, the requirements go into effect in Brazil, Indonesia, Singapore, and Thailand. At this point, any app installed on a certified Android device in these regions must be registered by a verified developer. The requirements will then be rolled out globally.

This initiative, branded as ‘Developer verification,’ aims to combat the widespread problem of malware from sideloaded apps. Google says its research shows that 50 times more malware comes from sideloaded sources than from Google Play itself.

So, the new rules extend to everyone distributing Android apps, including those hosting them on third-party app stores or offering APK downloads directly. For developers who distribute their apps solely through the Google Play Store there will not be much of a change.

Yet, while legitimate developers will tell you how hard it is to get their apps accepted into the Google Play Store, cybercriminals manage to sneak in their malicious apps anyway.

For a full understanding of the new requirement, we’ll need to explain what “certified Android devices” are.

A definition for a certified Android device is: an Android product—such as a smartphone, tablet, smart TV, or streaming box—that has passed a rigorous series of Google security, compatibility, and performance tests, and is officially approved by Google. Certified devices run an official version of Android and have access to Google apps and the Play Store. Uncertified devices often lack these and may not receive updates or proper security support.

This is important to know because not all Android malware is limited to phones. Take for example, the BadBox botnet which also affects devices like TV streaming boxes, tablets, and smart TVs.

In practice, a certified device encompasses all mainstream devices from Samsung, Xiaomi, Motorola, OnePlus, Oppo, Vivo, and the Google Pixel line.

Reportedly, non-certified devices are those from Huawei, Amazon Fire tablets, and a set of Chinese TV boxes and smartphones that use heavily modified OS images.

Google encourages all developers to sign up for early access as the best way to prepare and stay informed.

>  “Early participants will also get:
> 
> *   An invitation to an exclusive community discussion forum.
> *   Priority support for these new requirements.
> *   The chance to provide feedback and help us shape the experience.”

Whether these controls will be effective largely depends on enforcement and public awareness, but Google feels it marks real progress toward a safer mobile ecosystem. Let us know how you feel about this in the comments.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Developer verification: a promised lift for Android security 

TheTruthSpy is at it again. A security researcher has discovered a flaw in the Android-based stalkerware that allows anyone to compromise any record in the system.

TheTruthSpy is at it again. A security researcher has discovered a flaw in the Android-based stalkerware that allows anyone to compromise any record in the system.

TheTruthSpy stalkerware is designed to be installed surreptitiously on a victim’s Android phone. It then monitors that phone’s activities and sends the information it gathers back to a central server. On Monday, TechCrunch revealed—not for the first time—that the servers are vulnerable to attack. It found that anyone can reset the password of any account on the app, meaning they could hijack anyone’s data.

The security researcher, Swarang Wade, demonstrated the vulnerability to TechCrunch by changing the passwords on several tests accounts. The publication isn’t revealing exactly how it was done, to prevent anyone from abusing the flaw.

TheTruthSpy gathers a lot of data about its victims. It provides the person who installed it with information about what calls or texts were made or received on the victim’s phone, and its location (harvested from the GPS), along with activities associated with messaging apps and files.

This isn’t the first time that TheTruthSpy has suffered from security issues:

*   In 2018, a hacker gained access to all its servers.
*   In 2019, it exposed pictures of kids taken with infected phones online.
*   In 2024, stalkerware researchers found an unpatched flaw that rendered all data on the app’s servers accessible.

This would all be very bad if people using the app knew that they were doing so, and that their personal usage data was stored online. But many of them are oblivious to the fact.

TheTruthSpy’s vendor, Vietnam-based 1Byte Software, warns that people must obtain consent before installing the app on someone else’s phone. However it also specifically advertises ‘stealth mode’, which makes it “completely invisible to users on phones/tablets where it’s installed.”

The software’s website touts its ability to spy on phone users as a way for parents to monitor and protect their children. That raises its own ethical questions, especially given the multiple data leaks. But that isn’t its only use. Abusers will use apps like these to monitor their current or ex-partners, or other stalking targets.

Once a victim has this installed on their phone without their knowledge, the installer can monitor their photos, social media interactions, emails, and internet browsing history. It will also record audio and log keystrokes without them being aware.

Van (Vardy) Thieu, owner of 1Byte Software, told TechCrunch that its source code was lost. He claimed to be building a new version from scratch, although TechCrunch’s reporters found that it was using the same vulnerable software library as the older version.

The software’s multiple bugs demonstrate just how dangerous it is to put this – or indeed any stalkerware app – on someone’s phone. The operators of these apps are often difficult to track down and hold accountable for their security issues.

**How to check if you have stalkerware on your phone**

What can you do if you suspect your phone might be infected with stalkerware? We think TechCrunch’s guide deserves a mention here, as does The Coalition Against Stalkerware, of which Malwarebytes is a founding member. The latter includes per-country links to organizations that help victims of domestic violence.

It is good to keep in mind however that by removing any stalkerware-type app, you will alert the person spying on you that you know the app is there.

Because the apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes for Android can help you.

1.  Open Malwarebytes on your Android.
2.  Open the app’s dashboard
3.  Tap **Scan** **now**
4.  It may take a few minutes to scan your device.

 If malware is detected you can act on it in the following ways:

*   **Uninstall**. The threat will be deleted from your device.
*   **Ignore Always**. The file detection will be added to the Allow List, and excluded from future scans. Legitimate files are sometimes detected as malware. We recommend reviewing scan results and adding files to Ignore Always that you know are safe and want to keep.
*   **Ignore Once**: A file has been detected as a threat, but you are not sure whether to add it to your Allow List or delete. This option will ignore the detection this time only. It will be detected as malware on your next scan.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 More vulnerable stalkerware victims&#8217; data exposed in new TheTruthSpy flaw 

Researchers have found 77 malicious apps in the official Google Play Store, ranging from adware to state of the art banking Trojans.

Google has removed 77 malicious apps from the Google Play Store. Before they were removed, researchers at ThreatLabz discovered the apps had been installed over 19 million times.

One of the malware families discovered by the researchers is a banking Trojan known as Anatsa or TeaBot. This banking Trojan is a highly sophisticated Android malware, which focuses on stealing banking and cryptocurrency credentials.

Anatsa is a classic case of mobile malware rapidly adapting to security research progress. Its stealth tactics, exploitation of accessibility permissions, and ability to shift between hundreds of financial targets make it an ongoing threat for Android users worldwide.

Also found by the researchers were several types of adware. However, the largest chunk of malicious apps belonged to the Joker malware family, which is notorious for its stealthy behavior. It steals SMS messages, contacts, device info, and enrolls victims in unwanted premium services, which can result in financial losses.

The malware is installed like this:

*   It gets added to the Play Store as a benign app with useful and sought-after functionality (e.g. document readers, health trackers, keyboards, and photo apps).
*   Once installed, the app acts as a “dropper” which connects to a remote server for instructions and additional payloads, which often ends in the installation of information stealers.
*   Anatsa—specifically—uses several methods to avoid detection, such as a well-known Android APK ZIP obfuscator, and downloading each new chunk of code with a separate DES key.

Google says it picked up on the flaws and protected against these malware infections before the researchers published their report.

As a consequence, Google Play Protect may send users of the removed apps a push notification, giving them the option to remove the app from their device.

But don’t let that be your only line of defense. We found that Android users are more careful than iPhone users. Let’s keep that up!

**How to protect your Android from malicious apps**

Just because something is in the Google Play Store, there is no guarantee that it will remain a non-malicious app. So here are a few extra measures you can take:

*   Always check what permissions an app is requesting, and don’t just trust an app because it’s in the official Play Store. Ask questions such as: Do the permissions make sense for what the app is supposed to do? Why did necessary permissions change after an update? Do these changes make sense?
*   Occasionally go over your installed apps and remove any you no longer need.
*   Make sure you have the latest available updates for your device, and all your important apps (banking, security, etc.)
*   Protect your Android with security software. Your phone needs it just as much as your computer.

Malwarebytes for Android detects Anatsa as Trojan.Banker.CPL.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#android