Google Play Store hit by 300+ fake Android apps, downloaded more than 60 million times pushing ad fraud and data theft. Learn how to spot and remove these threats.

Cybersecurity researchers at Bitdefender have discovered a malicious ad fraud campaign that has successfully deployed over 300 applications within the Google Play Store. These malicious apps have collectively been downloaded over 60 million times, exposing users to invasive ads and phishing attempts.

****Malicious Apps on the Google Play Store****

The Google Play Store, a popular platform for Android applications, has become a target for cybercriminals. Despite Google’s efforts to maintain a safe environment by removing malicious apps, attackers continuously adapt new methods to slip them one way or another.

According to Bitdefender’s report shared with Hackread.com ahead of publishing on Tuesday,  its researchers along with IAS Threat Lab traced this campaign back to at least 331 malicious apps, 15 of which were still available on Google Play at the time of their investigation. These apps pose as harmless utilities, such as QR scanners, expense trackers, health apps, and wallpaper apps.

2 malicious apps out of 300+ both with more than 1 million download each (Screenshot: Bitdefender)

Many of these apps initially appeared harmless but were later updated to include malicious codes. The fraud campaign, active since Q3 2024, shows no signs of slowing down, with new malicious apps still appearing on the store as recently as March 2025. The top 5 counties impacted by this campaign include:

1.  Brazil
2.  United States
3.  Mexico
4.  Turkiye
5.  South Africa

****Hidden Icons**, **Pushing Ads and Phishing:****

One of the techniques involve hiding the app icon from the user’s launcher. This method, restricted in newer Android versions, suggests that attackers have either found a flaw or are exploiting an API vulnerability. Some apps even change their names to mimic legitimate services like Google Voice, further complicating their removal.

These apps are designed to display full-screen ads without user consent, even when another app is in use. Worse, they can initiate phishing attacks, tricking users into exposing sensitive information such as login credentials and credit card details.

Researchers have also revealed technical strategies used by these malicious apps to evade detection on infected devices. One such technique is Content Provider Abuse, where apps declare a contact content provider that is automatically queried by the system after installation, enabling execution without user interaction.

Another tactic involves activity launching through methods like DisplayManager.createVirtualDisplay and other API calls, allowing the apps to start activities without requiring user permission. This technique is often used to display intrusive ads or launch phishing attempts.

To maintain persistence, these apps rely on services and dummy receivers, ensuring they remain active even on newer Android versions that block certain background activities.

****Protect Your Devices****

Usually, it’s best to download apps only from official stores like Google Play and Apple’s App Store. However, in this case, it’s advised to avoid downloading unnecessary apps from both official and third-party stores.

Make sure to keep your device updated so security patches are installed automatically. Run regular malware scans and watch for suspicious activity, such as an app’s icon suddenly disappearing, its name changing, your device slowing down, or excessive battery drain. If you notice anything unusual, delete the app immediately.

Scammers Sneak 300+ Ad Fraud Apps onto Google Play with 60M Downloads

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

With Android devices deeply embedded in business operations, it’s no surprise that cybercriminals are increasingly targeting them.

Businesses are now prime targets, facing threats like banking trojans, spyware, ransomware, and ad fraud, all designed to steal sensitive company data, compromise financial systems, and disrupt operations.

The problem is, that many security tools aren’t built to catch these threats fast enough, leaving people and businesses vulnerable.

To help with this, ANY.RUN has added Android OS support to its interactive sandbox. Cybersecurity professionals can now run and analyze APK files in real-time, spot threats more quickly, and get a much clearer picture of what a malicious app is doing.

**Key Benefits for Cybersecurity Professionals**

Android OS support enhances security teams’ efficiency in several ways:

*   **Simplifies malware analysis:** Users can analyze Android threats, with detailed insights into network traffic, behavioural indicators, and file execution logs. 

*   **Accelerates incident response:** The interactive sandbox allows for real-time detection and mitigation of Android malware, reducing the time needed for investigations.

*   **Reduces costs and complexity:** Security teams don’t need to juggle multiple tools. Sandboxes like ANY.RUN consolidate everything into one platform, improving efficiency and lowering operational costs.

*   **Enhances SOC workflows:** Tier 1 analysts can quickly escalate cases to Tier 2 with comprehensive forensic data on Android malware, streamlining threat intelligence and response processes.

****How Android OS Inside Virtual Machine Makes Malware Analysis Easier****

Analyzing Android malware inside ANY.RUN’s sandbox is as easy as investigating threats on Windows or Linux. With the latest update, security professionals can interact with and examine Android malware in real time, making the process faster and more intuitive.

Before launching an analysis, users can select Android OS from the standard operating system menu. Once selected, they upload the APK file and begin the investigation. 

_Android OS option inside ANY.RUN sandbox_

Since ANY.RUN’s sandbox is fully interactive, analysts can engage with the malicious file as if they were running it on a real Android device.

In a real analysis session, you can see firsthand how easy it is to interact with a suspicious APK file inside ANY.RUN’s interactive sandbox. 

Let’s take Coper, for example – a well-known Android banking trojan designed to steal financial data, intercept SMS messages, and execute commands remotely. This malware often disguises itself as legitimate banking or financial apps, tricking users into granting permissions that allow full control over the device.

View analysis session with Coper

The fastest way to determine if a file is malicious is by checking the top right corner of the screen, where ANY.RUN automatically highlights suspicious activity. 

In our case, it’s marked in red, immediately alerting us that the sample is dangerous. The sandbox identifies that we are dealing with Coper, confirming that this APK is actively performing harmful actions.

_Malicious activity detected by ANY.RUN sandbox_

To dive deeper, analysts can inspect all processes in the Process Tree section. This view provides a structured breakdown of how the malware operates, making it easier to understand what actions it takes after execution. 

This allows SOC teams, malware analysts, and threat hunters to quickly assess the impact of a threat without wasting time on manual investigation.

Tree of processes inside ANY.RUN sandbox

Another crucial feature is the ATT&CK Matrix section, where you can see exactly what techniques and tactics the malware is using. This makes it much easier to map threats to real-world attack patterns. 

If more details are needed, users can simply click on any specific tactic or technique to get a detailed explanation of how it works and what risks it poses.

_Mitre ATT&CK Matrix techniques and tactics_

Finally, for a more structured breakdown, ANY.RUN provides a text report that compiles all findings into a well-organized format. 

This is especially useful for sharing insights with the team, documenting the investigation, or conducting a deeper analysis later on. 

Instead of manually piecing together information from different sources, security teams get a clear, detailed report that speeds up decision-making and incident response.

_Detailed report of analysis generated by ANY.RUN sandbox_

****Analyze Android Threats Faster in a Secure Environment****

With ANY.RUN’s new Android OS sandbox, cybersecurity professionals can now analyze APK files faster and more efficiently in a secure, interactive environment. 

Whether you’re investigating malware for incident response, threat hunting, or research, this update makes the process quicker, more intuitive, and highly effective.

*   **Faster detection:** Get real-time alerts on suspicious activity without delays.

*   **Easier analysis:** Interact with malware just like you would on a real device and inspect its behaviour effortlessly.

*   **Better collaboration:** Share structured reports with your team, helping everyone stay informed and respond quickly to threats.

Analyze Mobile Threats Faster: ANY.RUN Introduces Android OS to Its Interactive Sandbox

Cybercriminals exploit AI hype with SEO poisoning, tricking users into downloading malware disguised as DeepSeek software, warns McAfee Labs in a new report.

The rise of Artificial Intelligence (AI) has undeniably transformed various sectors, with tools like ChatGPT, DeepSeek and Gemini becoming household names. However, this advancement has also created an environment where scammers can thrive.

McAfee Labs has uncovered a concerning trend where malicious actors are exploiting the popularity of AI tools, to distribute malware. This tactic, often referred to as SEO poisoning, exploits trending search terms to lure unsuspecting users to malicious websites.

The recent surge in interest surrounding DeepSeek-R1, a cost-effective AI model released under an open-source license an AI model and its subsequent chatbot launch, provided a solid platform for such exploitation.

This increasing interest, coupled with occasional website unavailability due to high traffic, created an ideal scenario for scammers. They take advantage of the “excitement, anxiety, and impatience” of users by distributing malware disguised as DeepSeek installers, McAfee researchers noted in the blog post shared with Hackread.com.

The attack starts with a user’s search, after which they are directed to websites offering DeepSeek applications for Windows, Mac, and Android. These websites, however, are malicious, leading to the download of malware, fake installers that bundle unwanted third-party software, and fraudulent captcha pages.

Attack Vector (Source: McAfee)

****Fake DeekSeek Installers, Websites and Apps****

McAfee Labs identified several malware campaigns associated with DeepSeek, including fake installers, impersonator websites, and fake mobile apps. These campaigns distributed various types of malware, such as keyloggers, crypto miners, and password stealers. One notable example involved fake installers that bundled legitimate software with unwanted third-party applications, generating revenue through pay-per-install programs.

Another tactic observed was the use of fake captcha pages, designed to trick users into downloading and executing malicious software. These pages employed “brand impersonation,” mimicking DeepSeek’s branding to appear legitimate. Upon registering for a fake partnership program, users were redirected to these captcha pages, which then prompted them to execute commands that installed malware capable of stealing sensitive information.

One of the fake DeepSeek AI websites, malicious winManager (left) and Audacity software (right) and Android app involved in the malware scam (Screenshot credit: McAfee)

****Monero Miner Behind Fake DeepSeek Installer****

A technical analysis of a crypto miner disguised as DeepSeek software revealed that after installation the malware communicated with a command-and-control server to download and execute a PowerShell script. This script employed process injection techniques to evade detection and establish persistence in the victim’s system. The payload, identified as XMRig mining software, then initiated a Monero mining operation, utilizing a portion of the system’s CPU resources.

Scammers chose Monero probably due to its emphasis on anonymity, making it difficult to trace the flow of funds. This highlights the attackers’ focus on covert operations and maximizing their gains while minimizing the risk of detection.

McAfee Labs emphasizes the importance of staying alert and informed, especially during hype cycles surrounding emerging technologies. Another step toward safety is scanning suspicious links and files on VirusTotal before opening or executing them.

Fake DeepSeek AI Installers, Websites, and Apps Spreading Malware

At least four different threat actors have been identified as involved in an updated version of a massive ad fraud and residential proxy scheme called BADBOX, painting a picture of an interconnected cybercrime ecosystem.
This includes SalesTracker Group, MoYu Group, Lemon Group, and LongTV, according to new findings from the HUMAN Satori Threat Intelligence and Research team, published in

BADBOX 2.0 Botnet Infects 1 Million Android Devices for Ad Fraud and Proxy Abuse

Spring Break vacationers could open themselves up to online scams and cyberthreats this year, according to new research from Malwarebytes.

This year, Spring Break vacationers are packing more than their flip-flops, bucket hats, and sunglasses—they’re also packing a few cybersecurity anxieties for the trip.

According to new research from Malwarebytes, 52% of people said they “worry about being scammed while traveling,” while another 40% admitted that they “worry about my kids or family sharing trip details online.” While most people said they will act on these concerns—63% will make sure their security software is up to date, 53% will back up their data—roughly 10% of people said they will take no precautions whatsoever into protecting their security or privacy while on vacation.

The findings reveal that the public approaches cybersecurity as a patchwork quilt, implementing some best practices while forgoing others, and engaging in a few behaviors that carry significant risk online.

For this research, Malwarebytes conducted a pulse survey of its customers in March via the Alchemer Survey Platform.

Broadly, Malwarebytes found that:

*   52% of people “agreed” or “strongly agreed” that they “worry about being scammed while traveling.”
*   20% of people “agreed” or “strongly agreed” that they “don’t really think about protecting my data while traveling.”
*   38% of people said they will book their next travel opportunity through a “general search,” which could leave them vulnerable to malvertising.
*   Apps are a way of life, as 66% of people said they use between one and six apps specifically for travel (such as hotel apps, airline apps, and translation apps). A particularly plugged-in 8% of people said they manage more than seven apps for the same purposes.
*   To stay cybersecure and private on vacation, the majority of people will backup their data (53%), ensure their security software is up to date (63%), and set up credit card transaction alerts (56%), but 10% will take none of these—or other—steps.
*   53% of people refuse to take a single laptop with them on vacation, whereas just 1% leave even their smartphone behind—talk about a holiday.

****Risky business break****

The cybersecurity risks around personal vacations are unlike those around the holidays for major organizations and businesses, in which cybercriminals know that low staffing will leave companies more vulnerable to an attack or breach.

Instead, far-flung Spring Breakers can engage in a series of behaviors both before and during their holidays that leave them open to online scams and theft.

Take, for example, the 38% of people who told Malwarebytes that they would conduct a “general search online” in booking their next vacation. While Google searches are probably one of the most common tasks for any vacation planning, the results that people see can be manipulated through a type of cybercrime called malvertising, short for “malicious advertising.” 

In malvertising, cybercriminals will create a fake website that looks like a popular service, like Facebook, Slack, or eBay. Cybercriminals will also pay a small sum so that these fake websites show up near the top of Google’s sponsored results for relevant searches. Once users click on the websites, which appear legitimate, they’re tricked into downloading malware or handing over sensitive information to scammers.

A safer option for vacationers is to book travel directly with an airline or hotel chain. Many participants wrote this approach into the Malwarebytes survey when selecting the “Other” option (14%). Interestingly, the 29% of respondents who said they use a travel agent for booking likely also receive some extra safeguards, simply because another, experienced, person is involved in the process.

But in the same way that cybercriminals have begun abusing Google search results to send victims to dangerous websites, they’ve also done the same to trick users into downloading fake versions of popular apps.

Android “phishing” apps are a serious threat to users today—Malwarebytes detected 22,800 of them last year alone—and, as we wrote before, they represent the next step in camouflaged cyber-scamming:

> “By disguising themselves as legitimate apps—including for services like TikTok, Spotify, and WhatsApp—Android phishing apps can trick victims into typing in their real usernames and passwords on bogus login screens that are controlled entirely by cybercriminals.”

The threat here endures long after the app is installed. If enough victims unwittingly send their passwords, cyber thieves could bundle the login credentials for sale on the dark web. Once the passwords are sold, the new, malicious owners will attempt to use individual passwords for a variety of common online accounts—testing whether, say, an email account password is the same one used for a victim’s online banking system, their mortgage payment platform, or their Social Security portal.

This wouldn’t be too much a problem if modern traveling didn’t involve so many apps.

According to our survey, 44% of people manage between two to four apps specifically for travel purposes, and 9% manage between five and six apps. And while 20% of people use zero apps for travel and 14% use just one app, there are 8% of people who rely on more than seven apps strictly for travel purposes.

That could include airlines apps, hotel apps, translation apps, and more. But as more apps help with traveling needs, more opportunities arise for those apps to be falsely emulated and maliciously advertised online.

As for what people do while physically on vacation, many engaged in online behaviors that could prove risky, but they can hardly be criticized for it.

For example, 25% of people said they scan QR codes while on vacation. These codes could lead people to malicious websites, but QR codes have become normalized at restaurants that no longer have physical menus. And 33% of people “log into financial institution sites or apps to manage \[their\] budget, check purchases, etc.” This type of activity was susceptible to online eavesdropping many years ago, but everyday internet connections have become far more secure in the past decade. That said, it’s inspiring to see that 41% of people “download or install a VPN” to provide an extra level of security when browsing on public Wi-Fi.

****Safe travels****

Cybersecurity is probably the last thing people want to “pack” before going away on a break, but, thankfully, it’s something that a majority of people said they do.

For instance, 63% said they “check that \[their\] security software is up to date,” while 53% said they “backup \[their\] data.” Similarly, 56% said they “set up credit card transaction alerts.” And while it isn’t quite a majority, 47% said they turn on “Find my Device” features which can help in case of a lost or stolen device. Interestingly, people do not commit to the same precautions for their bags—just 21% of survey participants said they “put a tracker in \[their\] luggage.”

Still, there’s progress to be made.

Not only did 10% of survey participants share that they take zero cybersecurity or data privacy precautions before traveling, but 20% also agreed or strongly agreed with the statement “I don’t really think about protecting my data while traveling.”

For safety abroad, here are a few tips travelers can take before and during their next vacation:

*   **Backup your data before you head out**. Losing a device or having it stolen while on vacation won’t just ruin the trip itself—it will return the return journey, too. Backing up your data will help ensure that any lost device doesn’t lead to lost files.
*   **Turn on “Find My” features**. To respond to a lost or stolen device, turn on the “Find My” features on iPhones and Androids before your vacation so you can track a device’s location in real time.
*   **Protect your devices with antivirus and cybersecurity tools**. Modern cybersecurity tools don’t just stop viruses from landing on your devices, they also warn you about dangerous websites and links that could steal your info.
*   **Update your software**. Ensure that your devices are running on the latest versions of their operating systems. This helps prevent any known weaknesses from being exploited by cybercriminals.
*   **Use a password manager and 2FA**. Your most sensitive accounts shouldn’t just have a unique password. They should also be protected by two-factor authentication, which requires more than a password for anyone to login.
*   **Consider a VPN**. If you are doing something sensitive online, it never hurts to use a VPN. Bonus: If you’re travelling to another country where your favourite streaming shows aren’t available, a VPN can help here too.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 1 in 10 people do nothing to stay secure and private on vacation 

A list of topics we covered in the week of March 10 to March 16 of 2025

March 14, 2025 - A shocking amount of iOS apps in Apple's App Store contained hard-coded secrets. Secrets that could lead criminals to user data.

March 13, 2025 - To parents worried about their children's presence on Roblox, the CEO said don't let your kids be on Roblox.

March 12, 2025 - Apple has patched a vulnerability in iOS and iPadOS that was under active exploitation in extremely sophisticated attacks.

March 12, 2025 - Sports betting is a multi-billion-dollar industry, but behind the flashing lights and promises of easy money lies a hidden underworld of deception.

March 12, 2025 - Google spies on Android device users, starting from even before they have logged in to their Google account.

 A week in security (March 10 &#8211; March 16) 

Cybersecurity tips to protect your cryptocurrency from hackers, scams, and fraud. Learn best practices for securing digital assets…

Cybersecurity tips to protect your cryptocurrency from hackers, scams, and fraud. Learn best practices for securing digital assets and staying safe online.

The cryptocurrency market is changing and growing daily, with new coins created weekly. While the broader market is struggling with weak demand and remains at a critical juncture, Cardano’s ADA is among the top-performing altcoins.

The 8th largest cryptocurrency by market cap has made a breakout of the local support of $0.6638 and could test the $0.70 zone soon, according to U.Today. When discussing the bullish outlook for the ADA price prediction, it’s essential to understand that the Securities and Exchange Commission’s potential approval of Grayscale’s Cardano ETF filing can impact liquidity and trading volumes. 

Investors and traders aren’t the only ones interested in cryptocurrency. Hackers are thrilled with the idea of unregulated money, which opens new attack vectors and allows them to disappear, leaving no trace. ADA and other cryptocurrency transactions can’t be reversed, altered, or cancelled.

Once transactions have been written to the blockchain – in other words, confirmed – they become immutable. If threat actors get access to or transfer funds from a victim’s wallet, the money is lost forever. Neither transactions nor accounts are connected to real-world identities, so it’s easy for hackers to remain unidentified when they use cryptocurrency, 

****Cyberattacks Are An Ever-Present Threat, And The Crypto World Is No Exception** **

No threat facing the world has grown so fast, or in a way as difficult to understand, as the danger from cyberattacks. Investors and traders must understand that the inherent risk is increasing; cybercriminals are getting smarter, and their tactics are becoming more sophisticated. There are multiple types of cyberattacks where malicious actors take advantage of cryptocurrencies, such as: 

*   **_Ransomware_:** When ransomware occurs in the crypto space, malware encrypts files containing the victim’s private keys or digital wallet, making them unreadable. The attacker demands a ransom to provide the encryption key. As a rule, hackers demand payment in the form of cryptocurrency. Infection methods include phishing emails, malicious websites, and compromised accounts. 

*   **_DDoS extorsion_:** Threat actors blackmail crypto exchanges or blockchain networks by asking them to pay ADA or any other cryptocurrency to avoid their site or service being disrupted by a DDoS attack. The system may struggle to process transactions. Plus, legitimate users can’t connect to network resources.

*   **_Crypto hijacking_:** The computing power of a compromised device is used to mine cryptocurrency without the owner’s knowledge (Also called cryptomining). Smartphones, servers, and computers are vulnerable to crypto hijacking. Applications may be able to access data and information from the device or other applications. Unlike malware, control is camouflaged in the background. 

****We Suggest These Steps To Secure Your Cryptocurrency** ******Transfer Crypto From A Centralized Exchange To A Self-Custody Wallet** **

If you wish to own Cardano’s ADA, you can choose from among the many crypto exchanges that provide this service. Of course, you must give priority to the security features. Otherwise, you risk losing your hard-earned savings. Crypto exchanges are some of the most targeted in terms of cyberattacks, and while most attempts by hackers have been successfully mitigated, there have been several reports of damaging attacks. Find a reliable exchange with strong security measures and strong DDoS prevention tools. 

Better yet, withdraw your funds to a secure wallet to stay in control of your assets. Due to the difficulty of effectively implementing safety measures, crypto exchanges can’t fully guarantee protection. Whether they call it withdrawing, sending, or transferring, crypto exchanges let you move your funds to a wallet that is compatible with the asset you’re relocating.

A self-custody wallet puts you in complete control of your cryptocurrency, so you must take full responsibility for the security. Lock your account when not in use to make it harder for others to access your account. 

****Keep Safe Backups Of Everything** **

No matter what type of wallet you use, having a backup of your data ensures quick recovery and minimizes information loss. Go to your wallet’s settings and select the backup option or the export keys option; encrypt your backups to protect against unauthorized access. If you lose your wallet’s private keys, you’ve permanently lost your cryptocurrency. Keep multiple backups on different devices, such as USB drives and paper, which aren’t prone to failure. This way, you have alternate recovery paths. 

****When Dealing With Unsolicited Messages, Be Careful** **

One of the most prevalent social engineering techniques, phishing, involves sending deceptive messages that seem to be from legitimate sources. Don’t reply without investigating. Most importantly, never confront the sender of a phishing message yourself because it could result in you being targeted specifically. The sender doesn’t even know if your number is active.

Refrain from opening attachments or clicking on links from unidentified sources even if the sender seems familiar, as you can potentially infect your phone. A phishing link can direct you to a website containing malicious code. You can always use a free site like VirusTotal to scan for malicious files and links before executing/opening them.

Replying to unsolicited messages increases the chances of receiving more spam, so you should block the number. It requires a few adjustments in your settings. Android phones allow for freedom when it comes to customization, so the process will vary from device to device.

Many phones have built-in options to filter out messages from unknown senders or mark texts as spam. Be cautious when sharing your phone number online with unfamiliar organizations because it exposes you to other social engineering-based tactics, such as pretexting, quid pro quo, or vishing. 

****In Closing** **

Cyberattacks have become increasingly targeted and complex due to sophisticated pieces of malware. Individual users are more vulnerable than ever before since hackers have adapted their strategies to exploit weaknesses in smart contracts, wallets, and decentralized finance (DeFi) platforms. As such, it’s necessary to take personal responsibility and protect yourself. Acquire new skills, expand your knowledge, and, above all, shift your perspective.

Image credits: Free Vector | Realistic cardano coin illustration

Cybersecurity in Crypto: Best Practices to Prevent Theft and Fraud

Plus: A nominee to lead CISA emerges, Elon Musk visits the NSA, a renowned crypto cracking firm’s secret (and problematic) cofounder is revealed, and more.

Knifings, firebombings, shootings, and murder-for-hire plots—all linked to a splinter group of the 764 crime network called “No Lives Matter.” According to its own manifesto, the group seeks to “purify mankind through endless attacks” and has released at least two “kill guides” tied to violent plots in the US and Europe. Intelligence documents reviewed by WIRED reveal growing concern among analysts, but experts remain unsure how to stop the group’s spread.

On Monday, X experienced intermittent outages after a botnet flooded the social network with junk traffic in an attempt to take down its system. Elon Musk stated that the distributed denial-of-service attack originated from Ukrainian IP addresses, implying that the country—already under siege by a Russian invasion and frequently mocked by the centibillionaire—may have been responsible. Security experts tell WIRED that this is not how DDoS attacks work.

Meanwhile, inside the Cybersecurity and Infrastructure Security Agency, mass layoffs are hurting US cyberdefense, weakening protections against foreign adversaries. Vital staff cuts have left employees overworked and strained international partnerships, according to interviews with staff at the agency that helps safeguard cities, businesses, and nonprofits from cyberattacks. “A lot of people are scared,” says one employee. “We’re waiting for that other shoe to drop. We don't know what's coming.” As WIRED takes you inside the agencies at the center of the uncertainty and chaos of the second Trump administration, we've updated our quick and easy guide to using Signal to help you get the most out of the messaging app’s end-to-end encryption.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Those “green bubbles,” the cross-platform text messages that annoy iPhone owners and keep Android users relegated to a group-chat underclass, aren’t just a cultural disconnect. They’re also a security issue: Text messages sent between Android and iOS devices—unlike blue-bubble iMessage texts or Android-to-Android messages—aren’t end-to-end encrypted, leaving them open to surveillance or interception. Now, that may finally be changing.

The GSM Association, responsible for many widely used telecom standards, this week announced that its Rich Communication Services (or RCS) protocol will now support end-to-end encryption for cross-platform texting, and Apple revealed that it will now integrate that feature of RCS into its iOS devices. Until now, Apple and Google had both supported RCS’s other features in texts sent between iOS and Android, but not end-to-end encryption, which ensures that only the devices sending and receiving messages can decrypt them and not any server or snoop that sees them in transit.

Neither Apple nor the GSMA has said exactly when the new privacy features are launching. Until then, anyone sending cross-platform messages would be wise to stick with apps like WhatsApp or Signal that have long provided end-to-end encryption—and have also helped Android and iPhone users avoid personal disputes over bubble colors.

**Sean Plankey Nominated as Head of CISA, America’s Top Cybersecurity Agency**

The White House has tapped Sean Plankey to run CISA, the agency within the Department of Homeland Security primarily responsible for American digital defense. Plankey, long considered the leading contender for the role, served in multiple cybersecurity positions in the first Trump administration and previously held senior roles in US Cyber Command. In that DOD agency focused on cyber offense, he served as a weapons and tactics branch chief and earned a Bronze Star for hacking operations in Afghanistan. CISA, like many federal agencies, has faced hundreds of personnel cuts in recent weeks, and its previous director, Chris Krebs, came under harsh criticism under the previous Trump administration for the agency’s work to counter disinformation and secure elections. Krebs was fired in a Trump tweet near the end of his term after CISA described the 2020 election, whose results Trump baselessly contested, as the “most secure in American history.”

**Elon Musk Visits the National Security Agency**

Not even the National Security Agency has been spared from Elon Musk’s scorched-earth campaign to gut the federal government. On Wednesday, The Wall Street Journal reported that Musk had visited the intelligence agency in Fort Meade, meeting with leadership to discuss staff reductions and operational changes, according to current and former US officials who spoke to the Journal.

Despite being one of the most insulated branches of US intelligence, the NSA has still found itself pulled into Musk’s orbit. The visit to Fort Meade is another sign of the sweeping nature of his influence and the extraordinary access the world’s richest man has been granted over even the most secretive federal operations.

Last month, staff at the intelligence agency received emails offering deferred resignations, signaling impending changes. Then, a week ahead of his visit, Musk publicly called for an overhaul of the intelligence and cybersecurity agency. Posting to his social media site X, Musk wrote, “The NSA needs an overhaul,” alongside an apparent agency recruitment graphic featuring a group of college-aged people of color and a list of universities where the NSA was conducting outreach—seemingly mocking the agency’s recruitment efforts.

**A Buzzy Crypto Cracking Firm Had a Hidden CoFounder Accused of Sexual Assault**

The cryptocurrency recovery firm Unciphered has made headlines with its feats of whitehat wallet cracking on behalf of customers who have lost access to their cryptocurrency fortunes. In the fall of 2023, for instance, the company cracked a model of encrypted IronKey USB drive believed to hold 7,000-plus bitcoins now worth well over half a billion dollars. Now, The Washington Post reports that one of the cofounders of that company was Morgan Marquis-Boire, a once-lauded hacker and security researcher for Google and Citizen Lab who was later accused of sexually assaulting multiple women. The reported involvement of Marquis-Boire, who has largely disappeared from the cybersecurity world after facing the sex crime accusations in 2017, was kept secret from even many of the startup’s staff, and the revelations of his role have left the company in “disarray,” according to the Post.

**A Reporter Behind an Indian Hacker-for-Hire Story Is Fighting to Regain His Citizenship**

In November of 2023, Raphael Satter was one of a team of Reuters reporters who published an in-depth feature on Appin Technology, a startup that allegedly hacked numerous celebrity and civil society targets on behalf of clients. A group with a similar name responded by suing, and obtained a court ruling that for a time successfully censored Reuters’ story—a remarkable case of an Indian judge restricting free speech internationally. Satter is now fighting a different battle following publication of that story. In late 2023, his Overseas Citizen of India (OCI) card—a kind of international citizenship extended to foreign citizens of Indian origin and those married to Indians—was revoked around the same time as the judge filed the injunction. A letter sent to Satter in December of that year accused him of “maliciously creating adverse and biased opinion against Indian institutions in the international arena.” Satter is now petitioning a Delhi court to reverse that revocation, which has prevented him from entering India to visit family there.

End-to-End Encrypted Texts Between Android and iPhone Are Coming

The GSM Association (GSMA) has formally announced support for end-to-end encryption (E2EE) for securing messages sent via the Rich Communications Services (RCS) protocol, bringing much-needed security protections to cross-platform messages shared between Android and iOS platforms.
To that end, the new GSMA specifications for RCS include E2EE based on the Messaging Layer Security (MLS) protocol

GSMA Confirms End-to-End Encryption for RCS, Enabling Secure Cross-Platform Messaging

The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting Korean and English-speaking users.
Lookout, which shared details of the malware campaign, said the earliest versions date back to March 2022. The most recent samples were flagged in March 2024. It's not clear how successful these efforts were.
"

Tag

#android