The UK’s competition watchdog says Apple’s “walled garden” gives it too much control—and may soon force it to allow rival app stores on iPhones.

The UK’s Competition and Markets Authority (CMA) ruled that both Google and Apple have a “strategic market status.” Basically, they have a monopoly over their respective mobile platforms.

As a result, Apple may soon be required to allow rival app stores on iPhones—a major shift for the smartphone industry. Between them, Apple and Google power nearly all UK mobile devices, according to the CMA:

> “Around 90–100% of UK mobile devices run on Apple or Google’s mobile platforms.”

According to analyst data cited by the BBC, around 48.5% of British consumers use iPhones, with most of the rest on Android devices. 

If enforced, this change will reshape the experience of most of the smartphone users in the UK, and we have heard similar noises coming from the EU.

Apple has pushed back, warning that EU-style regulation could limit access to new features. The company points to Apple Intelligence, which has been rolled out in other parts of the world but is not available in the EU—something Apple blames on heavy regulation.

For app developers, the move could have profound effects. Smaller software makers, often frustrated by Apple’s 15–30% commission on in-app purchases, might gain alternative distribution routes. Competing app stores might offer lower fees or more flexible rules, making the app ecosystem more diverse, and potentially more affordable for users.

Apple, however, argues that relaxing control could hurt users by weakening privacy standards and delaying feature updates.

**Security and privacy**

Allowing multiple app stores will undeniably reshape the iPhone’s security model. Apple’s current “closed system” approach minimizes risk by funneling all apps through its vetted App Store, where every submission goes through security reviews and malware screening. This walled approach has kept large-scale malware incidents on iPhones relatively rare compared to Android.

It remains to be seen whether competing app stores will hold the same standards or have the resources to enforce them. Users can expect more variability in safety practices, which could increase exposure to fraudulent or malware-infested software.

On the other hand, we may also see app stores that prioritize safety or cater to a more privacy-focused audience. So, it doesn’t have to be all bad—but Apple has a point when it warns about higher risk.

For most users, the safest approach will be to stick with Apple’s store or other trusted marketplaces, at least in the early days. Android’s history shows that third-party app stores often become hotspots for adware and phishing, so security education is key. Regulators and developers will need to work together to make the review process and data-handling practices transparent.

There is no set timeline for when or how the CMA will enforce these changes, or how far Apple will go to comply. The company could challenge the decision or introduce limited reforms. Either way, it’s a major step toward redefining how trust, privacy, and control are balanced in the mobile age.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 Apple may have to open its walled garden to outside app stores 

SentinelLABS’ research reveals PhantomCaptcha, a highly coordinated, one-day cyber operation on Oct 8, 2025, targeting the International Red Cross, UNICEF, and Ukraine government groups using fake emails and a Remote Access Trojan (RAT) linked to Russian infrastructure.

A recent, highly coordinated cyberattack, codenamed “PhantomCaptcha,” targeted several major humanitarian and government groups supporting war relief efforts in Ukraine, according to new research from SentinelLABS.

The organisations targeted in this cyber attack included the International Red Cross, UNICEF, the Norwegian Refugee Council, and Ukrainian government administrations in regions like Donetsk and Dnipropetrovsk, among others.

The research, conducted in collaboration with the Digital Security Lab of Ukraine, reveals a clever operation launched on October 8th, 2025. The attackers spent six months preparing infrastructure for an attack that was only active for a single day.

Such rapid setup and shutdown suggest very skilled operators trying hard to avoid detection. Researchers noted the attack chain has similarities with the activity of COLDRIVER, a threat group linked to Russia’s FSB intelligence agency.

****Fake Emails and a Tricky Trap****

The attack began with official-looking emails from the Ukrainian President’s Office, which included a malicious PDF. Clicking a link in the PDF directed victims to zoomconference.app, a domain appearing as a legitimate Zoom site. This domain, hosted on a Russian-provider-owned server in Finland, presented a fake Cloudflare captcha page. This was a trap to trick people into downloading a secret spying tool.

PDF Document and Infection Path (Via SentinelLABS)

Further probing revealed that users were instructed in Ukrainian to copy a “token” and paste it into the Windows Run box to execute a hidden command. This technique, sometimes called Paste and Run or ClickFix, is dangerous because it makes the user unknowingly run the malicious code, often bypassing regular security software.

The spying tool is a multi-stage WebSocket-based remote Access Trojan (RAT) hosted on infrastructure linked to Russia, capable of giving attackers remote control over the victim’s computer to steal data.

****Long Planning, Short Operation****

The attackers’ planning was quite meticulous, showing a “high level of operational planning,” as SentinelLABS researchers explained in the blog post shared exclusively with Hackread.com. The main attack lasted only 24 hours, with user-facing websites quickly taken down. However, the command-and-control (C2) servers remained active to maintain control of any compromised systems.

Such “highly targeted, short-lived” campaigns, the researchers note, show that cyber operations against relief groups are persistent and constantly growing, aiming to collect sensitive information. The preparation and swift takedown point to an operator who understands both attack and evasion techniques.

It is worth noting that the researchers also found a potential link to a separate mobile campaign involving fake Android apps. Some were disguised as adult entertainment (like the “Princess Men’s Club” theme) or cloud storage, designed to steal a wide range of personal information, including users’ location, SIM card details, contacts, photos, and a list of installed apps.

zoomconference(.)click HTTPS response data matching princess-mens(.)click (Source: SentinelLABS)

Attacks like this show relief organisations are direct targets. Staff should treat unexpected messages as malicious. Never paste unknown tokens into the Run box. If a machine behaves oddly, take it offline and have it examined.

Report incidents to your national CERT and partners, rotate any exposed credentials, and run full scans and forensic checks. Tighten basic controls such as multi-factor authentication and limited admin rights. These steps stop many attacks before they can spread.

PhantomCaptcha RAT Attack Targets Aid Groups Supporting Ukraine

This is part of its broader push to fight impersonation and fraud, after removing more than 21,000 fake customer-support pages from Facebook.

Vulnerable Facebook Messenger and WhatsApp users are getting more protection thanks to a move from the applications’ owner, Meta. The company has announced more safeguards to protect users (especially the elderly) from scammers.

The social media, publishing, and VR giant has added a new warning on WhatsApp that displays an alert when you share your screen during video calls with unknown contacts.

On Messenger, protection begins with on-device behavioral analysis, complemented by an optional cloud-based AI review that requires user consent. The on-device protection will flag suspicious messages from unknown accounts automatically. You then have the option to forward it to the cloud for further analysis (although note that this will likely break the default end-to-end encryption on that message, as Meta has to read it to understand the content). Meta’s AI service will then explain why the device interpreted the message as risky and what to do about it, offering information about common scams to provide context.

That context will be useful for vulnerable users, and it comes after Meta worked with researchers at social media analysis company Graphika to document online scam trends. Some of the scams it found included fake home remodeling services, and fraudulent government debt relief sites, both targeting seniors. There were also fake money recovery services offering to get scam victims’ funds back (which we’ve covered before).

Here’s a particularly sneaky scam that Meta identified: fake customer support scammers. These jerks monitor comments made under legitimate online accounts for airlines, travel agencies, and banks. They then contact the people who commented, impersonating customer support staff and persuading them to enter into direct message conversations or fill out Google Forms. Meta has removed over 21,000 Facebook pages impersonating customer support, it said.

**A rising tide of scams**

We can never have too many protections for vulnerable internet users, as scams continue to target them through messaging and social media apps. While scams target everyone (costing Americans $16.6 billion in losses, according to the FBI’s cybercrime unit IC3), those over 60 are hit especially hard. They lost $4.8 billion in 2024. Overall, losses from scams were up 33% across the board year-on-year.

Other common scams include “celebrity baiting”, which uses celebrity figures without their knowledge to dupe users into fraudulent schemes including investments and cryptocurrency. With deepfakes making it easier than ever to impersonate famous people, Meta has been testing facial recognition to help spot celebrity-bait ads for a year now, and recently announced plans to expand that initiative.

If you know someone less tech-savvy who uses Meta’s apps, encourage them to try these new protections—like Passkeys and Security Checkup. Passkeys let you log in using a fingerprint, face, or PIN, while Security Checkup guides you through steps to secure your account.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

**About the author**

Danny Bradbury has been a journalist specialising in technology since 1989 and a freelance writer since 1994. He covers a broad variety of technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector. He hails from the UK but now lives in Western Canada.

 Meta boosts scam protection on WhatsApp and Messenger 

The Universe Browser is believed to have been downloaded millions of times. But researchers say it behaves like malware and has links to Asia’s booming cybercrime and illegal gambling networks.

The Universe Browser makes some big promises to its potential users. Its online advertisements claim it’s the “fastest browser,” that people using it will “avoid privacy leaks” and that the software will help “keep you away from danger.” However, everything likely isn’t as it seems.

The browser, which is linked to Chinese online gambling websites and is thought to have been downloaded millions of times, actually routes all internet traffic through servers in China and “covertly installs several programs that run silently in the background,” according to new findings from network security company Infoblox. The researchers say the “hidden” elements include features similar to malware—including “key logging, surreptitious connections,” and changing a device’s network connections.

Perhaps most significantly, the Infoblox researchers who collaborated with the United Nations Office on Drugs and Crime (UNODC) on the work, found links between the browser’s operation and Southeast Asia’s sprawling, multibillion-dollar cybercrime ecosystem, which has connections to money-laundering, illegal online gambling, human trafficking, and scam operations that use forced labor. The browser itself, the researchers says, is directly linked to a network around major online gambling company BBIN, which the researchers have labeled a threat group they call Vault Viper.

The researchers say the discovery of the browser—plus its suspicious and risky behavior—indicates that criminals in the region are becoming increasingly sophisticated. “These criminal groups, particularly Chinese organized crimes syndicates, are increasingly diversifying and evolving into cyber enabled fraud, pig butchering, impersonation, scams, that whole ecosystem,” says John Wojcik, a senior threat researcher at Infoblox, who also worked on the project when he was a staff member at the UNODC.

“They’re going to continue to double down, reinvest profits, develop new capabilities,” Wojcik says. “The threat is ultimately becoming more serious and concerning, and this is one example of where we see that.”

**Under the Hood**

The Universe Browser was first spotted—and mentioned by name—by Infoblox and UNODC at the start of this year when they began unpacking the digital systems around an online casino operation based in Cambodia, which was previously raided by law enforcement officials. Infoblox, which specializes in domain name system (DNS) management and security, detected a unique DNS fingerprint from those systems that they linked to Vault Viper, making it possible for the researchers to trace and map websites and infrastructure linked to the group.

Tens of thousands of web domains, plus various command-and-control infrastructure and registered companies, are linked to Vault Viper activity, Infoblox researchers say in a report shared with WIRED. They also say they examined hundreds of pages of corporate documents, legal records, and court filings with links to BBIN or other subsidiaries. Time and time again, they came across the Universe Browser online.

“We haven’t seen the Universe Browser advertised outside of the domains Vault Viper controls,” says Maël Le Touz, a threat researcher at Infoblox. The Infoblox report says the browser was “specifically” designed to help people in Asia—where online gambling is largely illegal—bypass restrictions. “Each of the casino websites they operate seem to contain a link and advertisement to it,” Le Touz says.

The Universe Browser itself is mostly offered for direct download from these casino websites—often being linked at the bottom of the websites, next to the logo of BBIN. There are desktop versions available for Windows, as well as an app version in Apple’s App Store. And while it is not in Google’s Play Store, there are Android APK files that allow the app to be directly installed on Android phones. The researchers say multiple parts of the Universe Browser and the code for its apps reference BBIN, and other technical details also reference the company.

The researchers reverse-engineered the Windows version of the browser. They say that while they have been unable to “verify malicious intent,” elements of the browser that they uncovered include many features that are similar to those found malware and tries to evade detection by antivirus tools. When the browser is launched, it “immediately” checks for the user's location, language, and whether it is running in a virtual machine. The app also installs two browser extensions: one of which can allow screenshots to be uploaded to domains linked to the browser.

While online gambling in China is largely illegal, the country also runs some of the world’s strictest online censorship operations and has taken action against illegal gambling rings. While the browser may most often be being used by those trying to take part in illegal gambling, it also puts their data at risk, the researchers say. “In the hands of a malicious actor—a Triad for example—this browser would serve as the perfect tool to identify wealthy players and obtain access to their machine,” the Infoblox report says.

Beyond connecting to China, running key logging, and other programs that run in the background, Infoblox’s report also says multiple functions have been disabled. “The right click, settings access and developer tools, for instance, have all been removed, while the browser itself is run with several flags disabling major security features including sandboxing, and the removal of legacy SSL protocols, greatly increasing risk when compared with typical mainstream browsers,” the company’s report says. (SSL, also known as Secure Sockets Layer, is a historic type of web encryption that protected some data transfers.)

It is unclear whether these same suspicious behaviors are present in the iOS and Android versions of the app. A Google spokesperson says the company is looking into the app and confirmed it was not available through its Google Play store. Apple did not respond to requests for comment about the app.

**Connect the Dots**

The web infrastructure around the Universe Browser led the researchers back to BBIN, a company that has existed since 1999. While it was originally founded in Taiwan, the company now has a large base in the Philippines.

BBIN, which also goes by the name Baoying Group and has multiple subsidies, describes itself as a “leading” supplier of iGaming software in Asia. A UNODC report from April, which links BBIN to the Universe Browser but does not formally name the company as Vault Viper, says the firm runs several hotels and casinos in Southeast Asia as well as providing “one of the largest and most successful” iGaming platforms in the region. Over the last decade, BBIN has sponsored or partnered with multiple major European soccer teams, such as Spain’s Atlético de Madrid, Germany’s Borussia Dortmund, and Dutch team AFC Ajax.

In recent years, multiple football clubs in England’s Premier League have faced scrutiny over sponsorship by Asian gambling companies—including by TGP Europe which was owned by Alvin Chau, the chairman and founder of SunCity Group who was sentenced in January 2023 to 18 years in prison after being found guilty of running illegal gambling operations. TGP Europe left the UK earlier this year after being fined by the country’s gambling regulator. Atlético Madrid, Borussia Dortmund, and AFC Ajax did not respond to WIRED requests for comment.

The iGaming industry develops online gambling software, such as virtual poker or other online casino games, that can easily be played on the web or on phones. “BBIN Baoying is officially an online casino game developer or ‘white label’ online casino platform, meaning it outsources its online gambling technology to other sites,” says Lindsey Kennedy, research director at The EyeWitness Project, which investigates corruption and organized crime. “The only languages it offers are Korean, Japanese and Chinese, which isn’t a great sign as online gambling is either banned or heavily restricted in all three countries.”

“Baoying and BBIN are what I would call a multi-billion dollar gray-area international conglomerate with deep criminal connections, backstopping and providing services to online gambling businesses, scams and cybercrime actors,” alleges Jeremy Douglas, chief of staff at the UNODC and its former regional representative for Southeast Asia. “Aside from what has been estimated at a two-thirds ownership by Alvin Chau of SunCity—arguably the biggest money launderer in the history of Asia—law enforcement partners have documented direct connections with Triad groups including the Bamboo Union, Four Seas, Tian Dao,” Douglas says of BBIN. (When Chau was sentenced in January 2023, court documents pointed to him allegedly owning a 66.67 percent share of Baoying).

BBIN did not respond to multiple requests for comment from WIRED. The firm’s primary contact email address it lists on its website bounced back, while questions sent to another email address and online contact forms, plus attempts to contact two alleged staff members on LinkedIn were not answered by the time of publication. A company Telegram account pointed WIRED to one of the contact forms that did not provide any answers.

The Presidential Anti-Organized Crime Commission (PAOCC) in the Philippines, which tackles organized and international crimes, did not respond to a request for comment from WIRED about BBIN.

Over the last decade, online crime in Southeast Asia has massively surged, driven partially by illegal online gambling and also a series of scam compounds that have been set up across Myanmar, Laos, and Cambodia. Hundreds of thousands of people from more than 60 countries have been tricked into working in these compounds, where they operate scams day and night, stealing billions of dollars from people around the world.

“Scam parks and compounds across the region generally host both online gambling and online scam operations, and the methodology used to lure individuals into opening online gambling accounts parallels that associated with pig-butchering scams,” says Jason Tower, a senior expert at the Global Initiative Against Transnational Organized Crime.

Last week, US law enforcement seized $15 billion in Bitcoin from one giant Cambodian organization, which publicly dealt in real estate but allegedly ran scam facilities in “secret.” One of the sanctioned entities, the Jin Bei Group in Cambodia, which US authorities accused of operating a series of scam compounds, also shows links to BBIN’s technology, Tower says. “There are multiple Telegram groups and casino websites indicating that BBIN partners with multiple entities inside the Jinbei casino,” Tower says, adding that one group on Telegram “posts daily advertisements indicating an official partnership between Jinbei and BBIN.”

Over recent years, multiple government press releases and news reports from countries including China and Taiwan, have alleged how BBIN’s technology has been used within illegal gambling operations and linked to cybercrime. “There are hundreds of Telegram posts aggressively advertising various illegal Chinese facing gambling sites that say they either are, or are built on, BBIN/Baoying technology, many of them by individuals claiming to operate out of scam and illegal gambling compounds, or as part of the highly illegal, trafficking-driven industry in Cambodia and Northern Myanmar,” says Kennedy from The EyeWitness Project.

While the Universe Browser has most likely been downloaded by those accessing Chinese-language gambling websites, researchers say that its development indicates how pivotal and lucrative illegal online gambling operations are and exposing their links to scamming efforts that operate across the world. “As these operations continue to scale and diversify, they are marked by growing technical expertise, professionalization, operational resilience, and the ability to function under the radar with very limited scrutiny and oversight,” Infoblox’s report concludes.

This ‘Privacy Browser’ Has Dangerous Hidden Features

Cybersecurity researchers have disclosed details of a coordinated spear-phishing campaign dubbed PhantomCaptcha targeting organizations associated with Ukraine's war relief efforts to deliver a remote access trojan that uses a WebSocket for command-and-control (C2).
The activity, which took place on October 8, 2025, targeted individual members of the International Red Cross, Norwegian Refugee

Cybersecurity researchers have disclosed details of a coordinated spear-phishing campaign dubbed **PhantomCaptcha** targeting organizations associated with Ukraine's war relief efforts to deliver a remote access trojan that uses a WebSocket for command-and-control (C2).

The activity, which took place on October 8, 2025, targeted individual members of the International Red Cross, Norwegian Refugee Council, United Nations Children's Fund (UNICEF) Ukraine office, Norwegian Refugee Council, Council of Europe's Register of Damage for Ukraine, and Ukrainian regional government administrations in the Donetsk, Dnipropetrovsk, Poltava, and Mikolaevsk regions, SentinelOne said in a new report published today.

The phishing emails have been found to impersonate the Ukrainian President's Office, carrying a booby-trapped PDF document that contains an embedded link, which, when clicked, redirects victims to a fake Zoom site ("zoomconference\[.\]app") and tricks them into running a malicious PowerShell command via a ClickFix\-style fake Cloudflare CAPTCHA page under the guise of a browser check.

The bogus Cloudflare page acts as an intermediary by setting up a WebSocket connection with an attacker-controlled server, and transmits a JavaScript-generated clientId, with the browser taking the victim to a legitimate, password-protected Zoom meeting if the WebSocket server responds with a matching identifier.

It's suspected that this infection path is likely reserved for live social engineering calls with victims, although SentinelOne said it did not observe the threat actors activating this line of attack during its investigation.

The PowerShell command executed after it's pasted to the Windows Run dialog leads to an obfuscated downloader that's primarily responsible for retrieving and executing a second-stage payload from a remote server. This second-stage malware performs reconnaissance of the compromised host and sends it to the same server, which then responds with the PowerShell remote access trojan.

"The final payload is a WebSocket RAT hosted on Russian-owned infrastructure that enables arbitrary remote command execution, data exfiltration, and potential deployment of additional malware," security researcher Tom Hegel said. "The WebSocket-based RAT is a remote command execution backdoor, effectively a remote shell that gives an operator arbitrary access to the host."

The malware connects to a remote WebSocket server at "wss://bsnowcommunications\[.\]com:80" and is configured to receive Base64-encoded JSON messages that include a command to be executed with Invoke-Expression or run a PowerShell payload. The results of the execution are subsequently packaged into a JSON string and sent to the server over the WebSocket.

Further analysis of VirusTotal submissions has determined that the 8-page weaponized PDF has been uploaded from multiple locations, including Ukraine, India, Italy, and Slovakia, likely indicating broad targeting.

SentinelOne noted that preparations for the campaign began on March 27, 2025, when the attackers registered the domain "goodhillsenterprise\[.\]com," which has been used to serve the obfuscated PowerShell malware scripts. Interestingly, the infrastructure associated with "zoomconference\[.\]app" is said to have been active only for a single day on October 8.

This suggests "sophisticated planning and strong commitment to operational security," the company pointed out, adding it also uncovered fake applications hosted on the domain "princess-mens\[.\]click" that are aimed at collecting geolocation, contacts, call logs, media files, device information, installed apps list, and other data from compromised Android devices.

The campaign has not been attributed to any known threat actor or group, although the use of ClickFix overlaps with that of recently disclosed attacks mounted by the Russia-linked COLDRIVER hacking group.

"The PhantomCaptcha campaign reflects a highly capable adversary, demonstrating extensive operational planning, compartmentalized infrastructure, and deliberate exposure control," SentinelOne said.

"The six-month period between initial infrastructure registration and attack execution, followed by the swift takedown of user-facing domains while maintaining backend command-and-control, underscores an operator well-versed in both offensive tradecraft and defensive detection evasion."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files

The bug, tracked as CVE-2025-54957, could let attackers run code via audio files.

Researchers from Google’s Project Zero discovered a medium-severity remote code execution (RCE) vulnerability that affects multiple platforms, including Android (Samsung and Pixel devices) and Windows. Remote code execution means an attacker could run programs on your device without your permission. The flaw, found in Dolby’s Unified Decoder Component (UDC) that handles audio playback, can be triggered automatically when a device receives an audio message—no tap or user action required.

The flaw affects Android devices that use Dolby audio processing (for example, Google Pixel and Samsung smartphones) and Windows systems running Dolby UDC versions 4.5–4.13. Other vendors that integrate Dolby’s decoding capabilities may also be indirectly impacted, depending on their library updates.

Tracked as CVE-2025-54957, the problem arises from the way the Dolby UDC handles “evolution data.” In the context of Dolby Digital Plus (DD+) audio streams, evolution data refers to a specialized extension block introduced in later versions of Dolby’s codecs to support additional functionality, such as higher channel counts, advanced loudness metadata, and dynamic range adjustments.

The buffer overflow occurs when the decoder parses the evolution data and miscalculates the size of incoming packets. Because this data block can vary in length, depending on the metadata or the embedded audio mode, the faulty length calculation can lead to insufficient buffer allocation. Malformed data can then overwrite adjacent memory and potentially allow remote code execution.

Buffers are areas of memory set aside to hold data. When a buffer overflow happens, it can overwrite neighboring memory areas, which may contain other data or executable code. This overwriting is not a deliberate action by the transaction or program, but an unintended consequence of the vulnerability, which could have been prevented by bounds checking.

While not every overflow carries malicious intent, the behavior of buffer overflows can be exploited. Attackers can use them to disrupt the operation of other programs, causing them to malfunction, expose secrets, or even run malicious code. In fact, buffer overflow vulnerabilities are the most common security vulnerabilities today.

The vulnerability is exploitable by sending a target a specially crafted audio file. An attacker could make a phone or PC run malicious code inside the audio-decoding process, leading to crashes or unauthorized control. It’s similar to getting a song stuck in your head so badly that you can’t think of anything else and end up dancing off a cliff.

The abuse of CVE-2025-54957 is not a purely hypothetical case. In its official October 14 security advisory, Dolby mentions that it is:

> “aware of a report found with Google Pixel devices indicating that there is a possible increased risk of vulnerability if this bug is used alongside other known Pixel vulnerabilities. Other Android mobile devices could be at risk of similar vulnerabilities.”

Dolby did not reveal any details, but just looking at the September 2025 Android security updates, there are several patches that could plausibly be chained with this bug to allow a local attacker to gain an elevation of privilege (EoP).

**How to stay safe**

To prevent falling victim to an attack using this vulnerability, there are a few things you can do.

*   Don’t open unsolicited attachments, including sound files.
*   Install updates promptly. Dolby has released fixes that device makers must roll into firmware and OS updates—enable automatic updates where possible.
*   Use an up-to-date real-time anti-malware solution, preferably with a web component.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Zero-click Dolby audio bug lets attackers run code on Android and Windows devices 

This week on the Lock and Code podcast… Google is everywhere in our lives. It’s reach into our data extends just...

_This week on the Lock and Code podcast…_

Google is everywhere in our lives. It’s reach into our data extends just as far.

After investigating how much data Facebook had collected about him in his nearly 20 years with the platform, Lock and Code host David Ruiz had similar questions about the other Big Tech platforms in his life, and this time, he turned his attention to Google.

Google dominates much of the modern web. It has a search engine that handles billions of requests a day. Its tracking and metrics service, Google Analytics, is embedded into reportedly 10s of millions of websites. Its Maps feature not only serves up directions around the world, it also tracks traffic patterns across countless streets, highways, and more. Its online services for email (Gmail), cloud storage (Google Drive), and office software (Google Docs, Sheets, and Slides) are household names. And it also runs the most popular web browser in the world, Google Chrome, and the most popular operating system in the world, Android.

Today, on the Lock and Code podcast, Ruiz explains how he requested his data from Google and what he learned not only about the company, but about himself, in the process. That includes the 142,729 items in his Gmail inbox right now, along with the 8,079 searches he made, 3,050 related websites he visited, and 4,610 YouTube videos he watched in just the past 18 months. It also includes his late-night searches for worrying medical symptoms, his movements across the US as his IP address was recorded when logging into Google Maps, his emails, his photos, his notes, his old freelance work as a journalist, his outdated cover letters when he was unemployed, his teenage-year Google Chrome bookmarks, his flight and hotel searches, and even the searches he made _within_ his own Gmail inbox and his Google Drive.

After digging into the data for long enough, Ruiz came to a frightening conclusion: Google knows whatever the hell it wants about him, it just has to look.

But Ruiz wasn’t happy to let the company’s access continue. So he has a plan.

>  ”I am taking steps to change that \[access\] so that the next time I ask, “What does Google know about me?” I can hopefully answer: A little bit less.”

Tune in today to listen to the full episode.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

 What does Google know about me? (Lock and Code S06E21) 

Chinese gangs are using US SIM farms and money mules to run industrial-scale text scams that steal and launder Americans’ card data.

We regularly warn our readers about new scams and phishing texts. Almost everyone gets pestered with these messages. But where are all these scam texts coming from?

According to an article in The Wall Street Journal:

> “It has become a billion-dollar, highly sophisticated business benefiting criminals in China.”

In particular, the number of toll payment scam messages has exploded, rising by 350% since January 2024—allegedly, a record 330,000 such messages were reported in a single day. But we’ve also highlighted recent SMS-based scams around New York’s inflation refund program and texts from a fake Bureau of Motor Vehicles trying to steal your banking details.

Toll, postage, and refund scams might look different on the surface, but they all feed the same machine, each one crafted to look like an urgent government or service message demanding a small fee. Together, they make up an industrialized text scam ecosystem that’s earned Chinese crime groups more than $1 billion in just three years.

In a bid to tackle the problem, Project Red Hook combines the power of the US Homeland Security Investigations (HSI) with law enforcement partners and businesses to raise awareness of how Chinese organized crime groups are exploiting gift cards to launder money.

The texts are sent out in bulk from so-called SIM farms, a setup where many mobile SIM cards are placed into a rack or special device, instead of inside phones. This device connects to a computer and lets someone send thousands of text messages (or make calls) automatically and all at once. It’s reported that the SIM farms are mostly located in the US, and set up by workers who have no idea they are assisting a fraud ring.

The main goal of these scams is to steal credit card information, which is then used at the victim’s expense in a vast criminal network.

Criminals bypass multi-factor authentication (MFA, or 2FA) by adding stolen cards to mobile wallets, knowing that banks often trust the device after its first use and don’t ask for further checks. They install stolen card numbers onto Google Pay and Apple Wallets in Asia and share access to those cards with people in the US. Gig workers and money mules then use the stolen card details to buy high-value goods such as iPhones, clothes, and especially gift cards. They ship these goods to China, where criminal rings sell them and funnel the profits back into their operations.

The criminals find the people willing to make purchases through Telegram channels. On any given day, scammers employ 400 to 500 of these mules. They are paid around 12 cents for every $100 gift card they buy, according to an assistant special agent in charge at HSI.

So, with the aid of SIM farms and money mules in the US, Chinese gangs have turned text message scams into an industrial-scale operation targeting Americans. They use tech tricks and international collaboration to make over a billion dollars—much of it via toll and shipping payment scams—and launder the proceeds through digital wallets and gift cards.

**Security tips**

The best way to stay safe is to make sure you’re aware of the latest scam tactics. Since you’re reading our blog, you’re off to a good start.

*   **Never reply to or follow links** in unsolicited tax refund texts, calls, or emails, even if they look urgent.
*   **Never share** your Social Security number or banking details with anyone claiming to process your tax refund.
*   **Go direct.** If in doubt, contact the company through official channels.
*   **Use an up-to-date real-time anti-malware solution**, preferably with a web protection component.

**Pro tip:** Did you know that you can submit suspicious messages like these to Malwarebytes Scam Guard, which instantly flags known scams?

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 Chinese gangs made over $1 billion targeting Americans with scam texts 

It’s easy to think your defenses are solid — until you realize attackers have been inside them the whole time. The latest incidents show that long-term, silent breaches are becoming the norm. The best defense now isn’t just patching fast, but watching smarter and staying alert for what you don’t expect.
Here’s a quick look at this week’s top threats, new tactics, and security stories shaping

⚡ Weekly Recap: F5 Breached, Linux Rootkits, Pixnapping Attack, EtherHiding & More

Plus: A secret FBI anti-ransomware task force gets exposed, the mystery of the CIA’s Kryptos sculpture is finally solved, North Koreans busted hiding malware in the Ethereum blockchain, and more.

In a stunning new study, researchers at UC San Diego and the University of Maryland revealed this week that satellites are leaking a wealth of sensitive data completely unencrypted, from calls and text messages on T-Mobile to in-flight Wi-Fi browsing sessions, to military and police communications. And they did this with just $800 in off-the-shelf equipment.

Face recognition systems are seemingly everywhere. But what happens when this surveillance and identification technology doesn’t recognize your face as a face? WIRED spoke with six people with facial differences who say flaws in these systems are preventing them from accessing essential services.

Authorities in the United States and United Kingdom announced this week the seizure of nearly 130,000 bitcoins from an alleged Cambodian scam empire. At the time of the seizure, the cryptocurrency fortune was worth $15 billion—the most money of any type ever confiscated in the US.

Control over a significant portion of US election infrastructure is now in the hands of a single former Republican operative, Scott Leiendecker, who just purchased voting machine company Dominion Voting Systems and owns Knowink, an electronic poll book firm. Election security experts are currently more baffled about the implications than worried about any possibility of foul play.

While a new type of attack could let hackers steal two-factor authentication codes from Android phones, the biggest cybersecurity development of the week was the breach of security firm F5. The attack, which was carried out by a “sophisticated” threat actor reportedly linked to China, poses an “imminent threat” of breaches against government agencies and Fortune 500 companies. Finally, we sifted through the mess that is VPNs for iPhones and found the only three worth using.

But that’s not all! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**“The Com” Hackers Leak Personal Info of Hundreds of DHS, ICE, DOJ, and FBI Officials**

In recent years, perhaps no single group of hackers has caused more mayhem than “the Com,” a loose collective of mostly cybercriminal gangs whose subgroups like Lapus$ and Scattered Spider have carried out cyberattacks and ransomware extortion operations targeting victims from MGM Casinos to Marks & Spencer grocery stores. Now they’ve turned their sites to US federal law enforcement.

On Thursday, one member of the Com’s loose collective began posting to Telegram an array of federal officials’ identifying documents. One spreadsheet, according to 404 Media, contained what appeared to be personal information of 680 Department of Homeland Security officials, while another included personal info on 170 FBI officials, and yet another doxed 190 Department of Justice officials. The data in some cases included names, email addresses and phone numbers, and addresses—in some cases of officials’ homes rather than the location of their work. The user who released the data noted in their messages a statement from the DHS that Mexican cartels have offered thousands of dollars for identifying information on agents, apparently mocking this unverified claim.

“Mexican Cartels hmu we dropping all the doxes wheres my 1m,” the user who released the files wrote, using the abbreviation for “hit me up” and seemingly demanding a million dollars. “I want my MONEY MEXICO.”

**Secret FBI Task Force Planned to Disrupt Ransomware Group Inside Russia, Reports Claim**

Over the last year—at least—the FBI has operated a “secret” task force that may have worked to disrupt Russian ransomware gangs, according to reports published this week in France’s Le Monde and Germany’s Die Zeit. The publications allege that at the end of last year, the mysterious Group 78 presented its strategy to two different meetings of European officials, including law enforcement officials and those working in judicial services. Little is known about the group; however, its potentially controversial tactics appeared to spur typically tight-lipped European officials to speak out about Group 78’s existence and tactics.

At the end of last year, according to the reports, Group 78 was focusing on the Russian-speaking Black Basta ransomware gang and outlined two approaches: running operations inside Russia to disrupt the gang’s members and try to get them to leave the country; and also to “manipulate” Russian authorities into prosecuting Black Basta members. Over the last few years, Western law enforcement officials have taken increasingly disruptive measures against Russian ransomware gangs—including infiltrating their technical infrastructure, trying to ruin their reputations, and issuing a wave of sanctions and arrest warrants—but taking covert action inside Russia against ransomware gangs would be unprecedented (at least in public knowledge). The Black Basta group has in recent months gone dormant after 200,000 of its internal messages were leaked and its alleged leader identified.

**ICE Division and Secret Service Had Access to AI License Plate Cameras**

Over the last few years, AI-powered license plate recognition cameras—which are placed at the side of the road or in cop cars—have gathered billions of images of people’s vehicles and their specific locations. The technology is a powerful surveillance tool that, unsurprisingly, has been adopted by law enforcement officials across the United States—raising questions about how access to the cameras and data can be abused by officials.

This week, a letter by Senator Ron Wyden revealed that one division of ICE, the Secret Service, and criminal investigators at the Navy all had access to data from the cameras of Flock Safety. “I now believe that abuses of your product are not only likely but inevitable, and that Flock is unable and uninterested in preventing them,” Wyden’s letter addressed to Flock says. Wyden’s letter follows increasing reports that government agencies, including the CBP, had access to Flock’s 80,000 cameras. “In my view,” Wyden wrote, “local elected officials can best protect their constituents from the inevitable abuses of Flock cameras by removing Flock from their communities.”

Elsewhere this week, Flock announced it was partnering with Amazon’s Ring, which makes video doorbells, to allow agencies that use Flock to request Ring customers share footage with them.

**Mystery of the CIA’s Kryptos Sculpture Finally Solved—Thanks to the Smithsonian’s Archive**

For 35 years, the Kryptos sculpture that sits in a courtyard of the CIA’s headquarters has beguiled cryptographers with a message enciphered in its rows of lettering that no one has been able to fully solve for decades—until now. Two men, Jarett Kobek and Richard Byrne, finally cracked the puzzle with the help of documents they found in the Smithsonian Archive that revealed the solution, The New York Times reports. Now they’re in a strange dispute with the sculpture’s owner, Jim Sanborn, who confirmed their answer but also asked them not to reveal it ahead of an upcoming auction that will sell the solution to the highest bidder in an effort to raise money for charity and his own potential medical expenses. The two solvers assured Sanborn they wouldn’t publicly reveal the solution, but Sanborn nonetheless asked them to sign a nondisclosure agreement, and the auction house holding the auction sent them an email threatening legal action if they disclose the answer. Both men say they’ve had to lawyer up in response. We at WIRED offer a humble solution: Kobek and Byrne post a cryptographic hash of the answer online—an irreversible but replicable mathematical conversion of the text that they can later use to prove they knew the answer without revealing it to anyone now—then sign the NDA, and everyone goes home happy.

**North Korean Hackers Are Hiding Malware in Ethereum’s Blockchain**

For years, North Korean state-sponsored hackers have targeted cryptocurrency users and companies, stealing billions that have been funneled into the Kim regime. Now they’re using one of crypto’s own blockchains as part of their hacking toolkit. Security researchers at Google this week revealed that North Korean hackers have been using a technique known as “EtherHiding” to host their malware, storing their malicious code in a smart contract on Ethereum’s blockchain—which, unlike Bitcoin’s, can host and run code in the blockchain’s distributed network of computers. When a victim is tricked into opening a file sent by the hackers, the file pulls down crypto-stealing malware hosted on Ethereum’s blockchain, where it’s harder to remove or defend against than on a traditional server. Google says it’s the first time the company has seen the technique used by state-sponsored cybercriminals.

Tag

#android