A highly sophisticated email scam is targeting PayPal users with the subject line of "Set up your account profile."

_A co-worker forwarded this rather convincing PayPal scam to me. Thanks Elena._

A highly sophisticated email scam is targeting PayPal users with the subject line of “Set up your account profile.”

We decided to see what the scammers are after. First thing to do is to look at the headers:

The sender address service@paypal.com (sometimes the emails come from service@paypal.co.uk) looks legitimate because it is, but the scammers have spoofed the address.

Basically, when someone sends an email, their computer tells the email system what address to show as the sender. Scammers take advantage of this by using special software or programs that let them type in any “From” address they want. This technique is called spoofing. The scammer sends their email through the internet, and since most email systems aren’t strict about checking this information, the fake sender address is displayed just like a real one would be.

So it’s hard for the everyday user to tell if the email has been spoofed or not.

There are other signs that the email might be a scam though. There is the unusual recipient address, which is nothing like the one of my co-worker. Rather than targeting one individual, scammers set up a distribution list (often using Microsoft 365/Google test domains) with their own domain or, in this case, a compromised one. This allows them to send bulk phishing emails while masking their intent, but does mean that recipients see an unfamiliar address, e.g. {somebody}@{unknow-domain}.test-google-a.com, instead of their own.

The “.test-google-a.com” part of the address refers to a domain often used in testing or in cloud setups through Google Workspace, but in the context of this scam email, it’s a strong indicator of malicious activity or advanced phishing techniques rather than official Google practice. So, that’s red flag #1.

When looking at the email itself, the subject line has nothing to do with what the email is asking the target to do. That’s red flag #2.

> “**Set up your PayPal account profile**  
> New Profile Charge: We have detected a new payment profile with a charge of $910.45 USD at Kraken.com. To dispute, contact PayPal at (805) 500-8413. Otherwise, no action is required. PayPal accept automatic pending bill from this account.Your New PayPal Account added you to the Crypto Wallet account.  
> Your user ID: Receipt43535e  
> Use this link to finish setting up your profile for this account. The link will expire in 24 hours.”

The layout of the email looks convincing enough, likely copied from an actual PayPal email.

The content however is typical for a phishing email:

*   Urgency: The link will expire in 24 hours.
*   Amount: Over $900 dollars to grab your attention
*   Crypto wallet: most people have only a vague notion of how crypto wallets work, so they don’t see the lie immediately. And Kraken.com is a crypto trading platform, so there is no discrepancy there.
*   The phone number listed is known by the Better Business Bureau as related to this type of scam
*   The recipient is not addressed by name in the email. Legitimate PayPal emails will always address you by your full name or business name, never generic greetings like “Dear Customer” or “Dear User”, or none at all as in this example. Red flag #3, 4, 5, 6, and 7.

The language used in the email is not perfect, but also not bad enough to stand out like a sore thumb. We have discussed in the past how AI-supported spear phishing fools more than 50% of targets, so looking for spelling errors is often not helpful these days.

But now comes the part which showcases the sophistication level of this scam. The link the button in the email points to, actually goes to PayPal.

However, the effect is different from what the target of the phishing email would expect. They are not going to set up a profile nor dispute a payment.

By clicking the link in the email, the target starts the routine to add a secondary user to their PayPal account. The danger here is that a secondary user can issue payments. In other words, the scammer would be able to clean out your PayPal account.

PayPal has over 434 million active users so for phishers that’s a large target audience. To make their attacks more targeted, some groups of phishers will buy or steal large databases of email addresses that are associated with PayPal accounts or which have previously interacted with PayPal services.

**How to stay safe**

As far as we could determine this campaign has been running for a month or more. Here are some tips to help you avoid being caught out:

*   Look out for the red flags above.
*   Always search phone numbers and email addresses to look for associations with known scams.
*   Go directly to PayPal.com to see if there are any messages for your account.
*   Enable two-factor authentication (2FA) to add an extra layer of security to your PayPal account and help prevent scammers getting in.
*   Report suspicious emails and phishing emails to phishing@paypal.com. Then delete them.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 PayPal users targeted in account profile scam 

Passkeys were built to enable a password-free future. Here's what they are and how you can start using them.

All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links. Learn more.

Passwords suck. They're hard to remember, but worse is playing the ever-evolving game of cybersecurity whack-a-mole with your most important accounts. That’s where passkeys come into play. The so-called “war on passwords” has taken off over the past two years, with titans like Google, Microsoft, and Apple pushing for a password-less future that the FIDO Alliance (a consortium made to “help reduce the world’s over-reliance on passwords”) has been trying to realize for over a decade.

Like it or not, you’ll be prompted to create a passkey at some point, and you likely already have. That’s a good thing, as passkeys aren’t only much easier to use than a traditional password, they’re also a lot safer. Here's everything you need to know about using them.

_Updated September 2: We've added a few details on about restoring passkeys and mentioned non-biometric authentication options._

Passkeys offer a way of confirming you are who you say you are without remembering a long, complicated password, and in a manner that's resistant to common attacks on passwords like phishing and dictionary attacks.

“Passkeys are built to replace passwords and outdated forms of two-factor authentication entirely,” Andrew Shikiar, executive director and CEO of the FIDO Alliance, tells WIRED. They represent a rare step forward in cybersecurity; one that’s not only easier to use than previous methods but also safer.

Conceptually, passkeys can come in many forms, but you’ll most commonly interact with them on a device you own. For example, imagine you want to sign in to your Google Account on a new device. Instead of entering a password, a passkey allows you to log in to your account with a device you’ve already verified. You can use your phone as a passkey, which instantly grants access to your Google Account without ever entering a password. The best implementations of passkeys don’t even need a username.

Passkeys end up being safer and more convenient than passwords because they work in a fundamentally different way. Passwords are what you’d call a “shared secret” in the world of cybersecurity. You know the secret, and so does the service you’re signing in to. The problem is that you have to remember that secret, and you aren’t fully in control of it, as you have to share that secret with whatever service you’re using. A data breach and a little decryption time are all that's needed to end up with a compromised account, and you didn't even do anything wrong.

Passkeys use public-key cryptography. Instead of matching a shared secret, public-key cryptography works by matching a pair of keys—a public key that anyone can see, and a private key that only you have access to. It’s safer because only you have access to your private key, and it’s easier because that key is bound to some device you own and usually secured with biometrics.

In the event your device is lost or stolen, you can restore your passkeys using the account you created it with. For instance, Google allows you to store passkeys in the Google Password Manager and sync them across your devices. Windows and iCloud Keychain only work on their respective operating systems, but they're tied to your Microsoft and Apple accounts, respectively.

**Are Passkeys Safe?**

Passkeys are safe, even more so than a long, random password. When you sign in with a passkey, you send a handful of information to the service you’re signing into, including your public key, which is stored as a representation of you as a user. This information alone doesn’t do anything.

On the device where you created the passkey, you'll have to engage in a “challenge” to unlock your private key, usually some form of biometric authentication. If the challenge is successful, it’s signed and sent back to the service you’re trying to log into. That challenge is then checked against the public key, and if it’s a match, you’re given access. Critically, this authentication happens on your device, not on a server far away.

Although biometric authentication is how you'll typically interact with passkeys on a mobile device, it's not a requirement. On Windows, for example, you need to authenticate with Windows Hello, which can use your device's PIN. On Android, you can use a pin or pattern.

With a password, there’s a ton of room for an attacker to potentially steal your password. Data breaches might expose your password, and even if it’s encrypted, it can be cracked. Phishing schemes are an easy vector of attack for hackers looking to steal passwords. And, if you’re using a service with spotty security practices, you could have a password exposed as plaintext in a breach; there are dozens and dozens of examples of this happening before.

**Passkeys vs. 2FA and MFA**

Passkeys are tricky because they fly in the face of security conventions that have been around for years—namely, two-factor (2FA) or multifactor authentication (MFA). Although you don’t need to plug in a code from a text or copy something over from an authenticator app, passkeys inherently use multifactor authentication. It just happens so fast that it’s easy to miss.

MFA is about adding additional layers of protection beyond your password. Instead of just your password, you need it and a code texted to you, for example. Passkeys already work that way. You need to match the public-private key pair, but you also need to authenticate that you have access to that private key. It’s not “something you know and something you own,” as 2FA is normally described, but it’s still two layers of authentication.

Here's how Shikiar describes it: “When you sign in, the service issues a cryptographic challenge that can only be answered with the private key on your device, verified by something you have (like your phone or laptop) and often something you are (like a biometric). The result is a phishing-resistant login with no reusable credentials to steal.”

**Devices and Browsers That Support Passkeys**

Passkeys are broadly integrated at an operating system level. If you’re using an OS that doesn’t natively support passkeys—i.e., Linux—you can still use them. However, you’ll need to use another device, like your phone, to scan a QR code and authenticate yourself, or a third-party password manager.

Here are the operating systems that fully support passkeys:

*   Android 9 or newer
*   iOS 16 or newer
*   macOS 13 (Ventura) or newer
*   Windows 10/11 23H2 or newer

Each one of these operating systems supports passkeys for native apps, as well as in your browser. Chromium supports passkeys, which covers the vast majority of browsers available, including Brave, Opera, Vivaldi, and Google Chrome. The major non-Chromium browser, Mozilla Firefox, also supports passkeys on version 122 or newer.

**How to Create and Store Passkeys**

To use passkeys, you need to store them somewhere. The major operating systems that support passkeys already include a way to store them, but they aren’t created equally.

Windows 10 and Windows 11

You need to set up Windows Hello to use passkeys on Windows 10 or Windows 11. You might have set it up during installation, but if not, you can enable it in the **Settings** app by clicking **Accounts > Sign-in options**. Whenever you want to use a passkey, you’ll need to authenticate with Windows Hello, be it with your face, fingerprint, or PIN.

Windows 10 or 11, version 23H2 or later, will prompt you to use a passkey whenever you attempt to sign in to a supported service on a supported browser (or through a native Windows app). Unlike other operating systems, these passkeys aren’t synced across your devices. They only work on your Windows device.

Both macOS and iOS store passkeys on your iCloud Keychain, so you’ll need to turn your Keychain on if it’s not already enabled. You can turn it on in the **Settings** app by following **Apple ID > iCloud > Passwords and Keychain**. You’ll need to enable 2FA for your Apple ID to use iCloud Keychain.

Similar to Windows, you’ll be prompted to create a passkey whenever you create a new account with a service that supports passkeys. If you want to add a passkey to an already created account, you’ll have to do so through that application’s settings. Unlike Windows, these passkeys work across devices, assuming you have access to your iCloud Keychain.

In newer versions of macOS (version 15 and later), it’s much easier to create and manage passkeys through the dedicated Passwords app.

iOS follows the same principles as macOS when it comes to Passkeys. They’re stored in your iCloud Keychain and synced across your devices. In iOS 18 and newer, you can manage passkeys in the dedicated Passwords app, and in older versions, you can find them in your settings.

iOS via Jacob Roach

iOS via Jacob Roach

Android 9 and newer versions support passkeys, but in different forms. By default, passkeys in Android will use the Google Password Manager, which is tied to your Google Account and syncs across your devices. On Android 14 and newer, you can choose to store your passkeys elsewhere, such as in a third-party password manager.

Passkeys in a Password Manager

Chrome via Jacob Roach

If you want all your passkeys on all your devices, operating system be damned, you need a password manager. Most of the best password managers support passkeys, allowing you to store and sync them on nearly any device. I personally use 1Password, but services like NordPass, Bitwarden, and Dashlane also support passkeys. You can create and store passkeys with a password manager on Android and iOS.

Keep your logins locked down with our favorite password management apps for PC, Mac, Android, iPhone, and web browsers.

**Apps That Support Passkeys**

There are only a few places where you can store and sync passkeys, but plenty of services support passkeys for signing in. The usual suspects include Microsoft, Adobe, Amazon, Google, and Apple, but there are still many websites and apps that don’t support passkeys.

You can find a handful of directories that claim to hold a complete list of apps that support passkeys with a quick Google search. 1Password maintains one directory, as do a couple of B2B services, including a directory from Hanko and another from OwnID. These aren’t complete lists. Meta apps like Facebook and Instagram aren’t listed, for example, despite adding support for passkeys in June 2025.

The best directory I’ve come across is from a nonprofit called 2factorauth in Sweden. It’s hosted on GitHub, updated constantly, and critically, maintained by the community. It’s the most up-to-date I’ve found, and apps are even organized into categories so you can, for instance, pick a VPN service that supports passkeys.

**Passkeys Will (Eventually) Replace Passwords**

Passkeys were built to replace passwords, but we’re in the middle of a long, arduous transition to get there. It requires every app, device, and operating system to adopt a new standard of authentication and ditch a model we've been using for decades throughout our entire digital lives.

The inflection point is well underway, though. With major services adopting passkeys, it’s possible to use them across your most important accounts. If nothing else, it’s worth using passkeys on accounts that are connected to others, such as your Google or Facebook account if you use social sign-on features.

Despite offering clear security advantages, passkeys aren't a (excuse the pun) turnkey solution for better security. As Shikiar puts it, “Passkeys secure the front door, but organizations still need to harden the entire identity journey, ranging from onboarding and recovery to session management.”

**_Power up with unlimited access to_ WIRED_._** _Get best-in-class reporting and exclusive subscriber content that's too important to ignore. Subscribe Today._

What Is a Passkey? Here’s How to Set Up and Use Them (2025)

Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks.
The vulnerabilities are listed below -

CVE-2025-38352 (CVSS score: 7.4) - A privilege escalation flaw in the Linux Kernel component 
CVE-2025-48543 (CVSS score: N/A) - A

Mobile Security / Vulnerability

Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks.

The vulnerabilities are listed below -

*   **CVE-2025-38352** (CVSS score: 7.4) - A privilege escalation flaw in the Linux Kernel component
*   **CVE-2025-48543** (CVSS score: N/A) - A privilege escalation flaw in the Android Runtime component

Google said both vulnerabilities could lead to local escalation of privilege with no additional execution privileges needed. It also noted that no user interaction is required for exploitation.

The tech giant did not reveal how the issues have been weaponized in real-world attacks and if they are being put to use in tandem, but acknowledged there are indications of "limited, targeted exploitation."

Benoît Sevens of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the upstream Linux Kernel flaw, indicating that it may have been abused as part of targeted spyware attacks.

Also patched by Google are several remote code execution, privilege escalation, information disclosure, and denial-of-service vulnerabilities impacting Framework and System components.

Google has released two security patch levels, 2025-09-01 and 2025-09-05, so as to give flexibility to Android partners to address a portion of vulnerabilities that are similar across all Android devices more quickly.

"Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level," Google said.

Last month, the tech giant Google released security updates to resolve two Qualcomm vulnerabilities -- CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5) -- that were flagged by the chipmaker as actively exploited in the wild.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Android Security Alert: Google Patches 120 Flaws, Including Two Zero-Days Under Attack

Californians are receiving scammy text messages that tell them they're owed a tax refund. Don't click any links or reply!

The State of California Franchise Tax Board (FTB) recently issued a warning to taxpayers to protect themselves from tax scams. In their warning the FTB states:

> “Recently, the FTB received reports of a scam targeting taxpayers through text messages that appear to be from FTB. These text messages contain a link to a fraudulent version of certain FTB web pages, which are designed to steal personal and banking information. The scam aims to trick taxpayers into providing personal details and credit card information.”

As if to prove their point, one of my co-workers received this text message.

> “State of California Franchise Tax Board (FTB)
> 
> Your tax refund claim has been processed and approved. Please provide your accurate collection information before September 01, 2025.
> 
> We will deposit the money into your bank account or email paper check within 1-2 working days.
> 
> {link}
> 
> Failure to submit required payment information by September 01, 2025 will result in permanent forfeiture of this refund under California Revenue and Taxation Code Section 19322.
> 
> Just reply with ‘Y’, then close and reopen the message to make the link work. If that doesn’t do it, copy the link and paste it straight into Safari.
> 
> California Franchise Tax Board|Sacramento, CA|Official State Agency”

The links that we found for this campaign are designed to look legitimate by using ftb.ca, ftb.gov, or ftb.cagov in the URL. The sites are designed to mimic the official version of certain FTB web pages, but in reality they are designed to steal your personal and banking information.

**How to tell if a message is a scam**

This type of scam is not limited to California or even to tax returns, so this advice is good for everyone. Here are some scammy signs to watch out for:

*   **Suspicious domain names:** Official tax authorities only use domains ending in “.gov”. Any link leading to “ftb.ca-nt.cc” or other odd-looking domains is a major red flag.  
*   **Urgent or threatening language:** Scammers often try to rush recipients with claims like “permanent forfeiture of your refund” and tight deadlines.
*   **Requests for sensitive personal or financial information:** Legitimate agencies never ask for bank account info or other private details via text message.
*   **Promised instant rewards:** Messages offering immediate deposits should not be trusted.
*   **Odd instructions for opening links:** Watch out for steps like “reply with ‘Y’, then close and reopen the message” or pasting the link into Safari. This is a scam tactic to bypass security features.
*   **Foreign phone numbers:** US federal and state agencies only use official numbers, not foreign codes. A sender like +63 (Philippines) pretending to be a US state agency is a sure giveaway of fraud.
*   **Grammatical mistakes, strange wording, and formatting errors:** Even though the use of AI by scammers has reduced the number of these signs, they sometimes occur. “Email paper check” is a good example.
*   **Generic sign-offs or incomplete contact details:** Real tax authorities provide clear and official contact information.

Spotting any one of these signs should be enough to delete the message. Never click links or provide personal details based on unsolicited texts or emails.

Other tips to stay safe are:

*   Keep your device and the software on it up to date.
*   Use an active anti-malware protection, preferably with a web protection module.
*   If you’re worried something is a scam and want to confirm it, Malwarebytes users can submit suspicious messages to Scam Guard.

You can also visit the FTB Scams page to verify when FTB sends texts and what information is included.

**Indicators**

We have spotted these subdomains in this campaign:

ftb.gov-ciehka.xmnsia\[.\]cc

ftb.ca-nt\[.\]cc

ftb.cagov-Ibh\[.\]cc

ftb.cagov-tqn\[.\]cc

ftb.cagov-cg\[.\]cfd

ftb.cagov-onr\[.\]cc

ftb.cagov-jme\[.\]cc

ftb.cagov-etu\[.\]cc

ftb.cagov-ib\[.\]cc

ftb.ca-mg\[.\]cc

ftb.gov-qls\[.\]help

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 Tax refund scam targets Californians 

Cybersecurity researchers are calling attention to a new shift in the Android malware landscape where dropper apps, which are typically used to deliver banking trojans, to also distribute simpler malware such as SMS stealers and basic spyware.
These campaigns are propagated via dropper apps masquerading as government or banking apps in India and other parts of Asia, ThreatFabric said in a report

Cybersecurity researchers are calling attention to a new shift in the Android malware landscape where dropper apps, which are typically used to deliver banking trojans, to also distribute simpler malware such as SMS stealers and basic spyware.

These campaigns are propagated via dropper apps masquerading as government or banking apps in India and other parts of Asia, ThreatFabric said in a report last week.

The Dutch mobile security firm said the change is driven by recent security protections that Google has piloted in select markets like Singapore, Thailand, Brazil, and India to block sideloading of potentially suspicious apps requesting dangerous permissions like SMS messages and accessibility services, a heavily abused setting to carry out malicious actions on Android devices.

"Google Play Protect's defences, particularly the targeted Pilot Program, are increasingly effective at stopping risky apps before they run," the company said. "Second, actors want to future-proof their operations."

"By encapsulating even basic payloads inside a dropper, they gain a protective shell that can evade today's checks while staying flexible enough to swap payloads and pivot campaigns tomorrow."

ThreatFabric said that while Google's strategy ups the ante by blocking a malicious app from being installed even before a user can interact with it, attackers are trying out new ways to get around the safeguards -- an indication of the endless game of whack-a-mole when it comes to security.

This includes designing droppers, keeping in mind Google's Pilot Program, so that they don't seek high-risk permissions and serve only a harmless "update" screen that can fly past scanning in the regions.

But it's only when the user clicks the "Update" button that the actual payload gets fetched from an external server or unpacked, which then proceeds to seek the necessary permissions to fulfil its objectives.

"Play Protect may display alerts about the risks, as a part of a different scan, but as long as the user accepts them, the app is installed, and the payload is delivered," ThreatFabric said. "This illustrates a critical gap: Play Protect still allows risky apps through if the user clicks Install anyway, and the malware still slips through the Pilot Program."

One such dropper is RewardDropMiner, which has been found to serve along with spyware payloads a Monero cryptocurrency miner that can be activated remotely. Recent variants of the tool, however, no longer include the miner functionality.

Some of the malicious apps delivered via RewardDropMiner, all targeting users in India, are listed below -

*   PM YOJANA 2025 (com.fluvdp.hrzmkgi)
*   °RTO Challan (com.epr.fnroyex)
*   SBI Online (com.qmwownic.eqmff)
*   Axis Card (com.tolqppj.yqmrlytfzrxa)

Other dropper variants that avoid triggering Play Protect or the Pilot Program include SecuriDropper, Zombinder, BrokewellDropper, HiddenCatDropper, and TiramisuDropper.

When reached for comment, Google told The Hacker News it has not found any apps using these techniques distributed via the Play Store and that it's constantly adding new protections.

"Regardless of where an app comes from – even if it's installed by a 'dropper' app – Google Play Protect helps to keep users safe by automatically checking it for threats," a spokesperson said.

"Protection against these identified malware versions was already in place through Google Play Protect prior to this report. Based on our current detection, no apps containing these versions of this malware have been found on Google Play. We're constantly enhancing our protections to help keep users safe from bad actors."

The development comes as Bitdefender Labs has warned of a new campaign that's using malicious ads on Facebook to peddle a free premium version of the TradingView app for Android to ultimately deploy an improved version of the Brokewell banking trojan to monitor, control, and steal sensitive information from the victim's device.

No less than 75 malicious ads have been run since July 22, 2025, reaching tens of thousands of users in the European Union alone. The Android attack wave is just one part of a larger malvertising operation that has abused Facebook Ads to also target Windows desktops under the guise of various financial and cryptocurrency apps.

"This campaign shows how cybercriminals are fine-tuning their tactics to keep up with user behavior," the Romanian cybersecurity company said. "By targeting mobile users and disguising malware as trusted trading tools, attackers hope to cash in on the growing reliance on crypto apps and financial platforms."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Android Droppers Now Deliver SMS Stealers and Spyware, Not Just Banking Trojans

WhatsApp has patched a vulnerability that was used in conjunction with an Apple vulnerability in zero-click attacks.

WhatsApp says it has issued an update to patch a vulnerability that has been used in conjunction with an Apple vulnerability to target specific users and compromise their devices.

Reportedly, attackers used this exploit against dozens of WhatsApp users, and WhatsApp has notified those affected:

> “Our investigation indicates that a malicious message may have been sent to you through WhatsApp and combined with other vulnerabilities in your device’s operating system to compromise your device and the data it contains, including messages.
> 
>   
> While we don’t know with certainty that your device has been compromised, we wanted to let you know out of an abundance of caution so you can take steps to secure your device and information.”

WhatsApp advised the affected users to perform a full factory reset of their phone in order to make sure they are rid of the malware.

> “We’ve made changes to prevent this specific attack from occurring through WhatsApp. However, your device’s operating system could remain compromised by the malware or targeted in other ways.
> 
>   
> To best protect yourself, we recommend a full device factory reset. We also strongly urge you to keep your devices updated to the latest version of the operating system, and ensure that your WhatsApp app is up to date.”

According to the Amnesty International Security Lab, the vulnerability was part of a zero-click attack against both iPhone and Android users. A zero-click attack is a type of attack which allows the cybercriminals to break into devices or apps without the victim needing to click, tap, or respond to anything. Unlike classic scams that rely on tricking someone into clicking a sketchy link, zero-click threats can land on a device simply because an app receives a message or notification crafted to exploit a hidden flaw.

**Technical details**

The zero-click attack required two vulnerabilities.

For iOS and Mac users these vulnerabilities were tracked as CVE-2025-43300 and lie in the Image I/O framework, the part of macOS and iOS that an app needs to open or save a picture. The problem came from an out-of-bounds write. Apple stepped in and tightened the rules with better bounds checking, closing off the hole so attackers can no longer use it.

An out-of-bounds write vulnerability means that the attacker can manipulate parts of the device’s memory that should be out of their reach. Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers can write code to a part of the memory where the system executes it with permissions that the program and user should not have.

In this case, an attacker could construct an image to exploit the vulnerability.  Processing such a malicious image file would result in memory corruption. Attackers can exploit memory corruption flaws to crash important processes or execute their own code.

The second vulnerability, CVE-2025-55177 for WhatsApp users, is caused by incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 and could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.

**What to do**

The infection chain described in the security advisories from Apple and WhatsApp relies on two components: an Apple vulnerability (CVE-2025-43300) in the Image I/O framework and a WhatsApp vulnerability (CVE-2025-55177) that allowed the hijacking of devices by synchronizing messages.

Attackers exploited the Apple ImageIO bug via malicious image files, which is dangerous because this core library is used by multiple apps (not just WhatsApp) for opening and previewing pictures. In affected WhatsApp versions for iOS and Mac, the sync message bug could trigger arbitrary URL processing, creating a powerful combo for chaining exploits and compromising devices without any user action.

While Android users were mentioned among potential targets in advanced spyware campaigns reported by Amnesty, the most severe zero-click risk described applies only to Apple devices. For Android, the WhatsApp vulnerability may have exposed users to attacks, but not via the same chained infection vectors. As always, updating WhatsApp and enabling advanced security features (like Google Advanced Protection on Android) is highly recommended. So is using security protection on your devices.

If you’ve received one of the notifications from WhatsApp, we’d advise you to follow the instructions.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 WhatsApp fixes vulnerability used in zero-click attacks 

This guide gives step-by-step instructions how how to enable two-step verification for WhatsApp on Android, iOS, and iPadOS

Two step verification is the name Meta uses for what is generally referred to as Two-factor authentication (2FA). 2FA is not fool-proof, but it is one of the best ways to protect your accounts from hackers.

It adds an extra step when logging in, which is a small extra effort for you, but it dramatically boosts your security. WhatsApp 2FA, called Two-Step Verification, requires you to enter a PIN code when registering your phone number on a new device, stopping hackers even if they have your SMS code.

Here’s how to enable 2FA on WhatsApp for Android and iOS.

1.  Open WhatsApp.
2.  Go to **Settings** (you’ll see it if you tap the three dots, usually located in the upper right corner).
3.  Tap **Account**.
4.  Select **Two-step verification**.
5.  Tap **Enable**.
6.  Create a unique 6-digit PIN and confirm it.
7.  Optionally, you can add your email address to recover your PIN if you forget it.
8.  Tap **Save**.

Now, whenever you verify your phone number on WhatsApp and every so often when you open the app, you’ll need the 6-digit PIN.

**How to set up two-step verification for WhatsApp on iPhone or iPad**

1.  Open the WhatsApp app on your iPhone or iPad.
2.  Tap on **Settings** (the gear icon)
3.  Tap on **Account**.
4.  Select **Two-step verification**.
5.  Tap on **Turn on** or **Set up PIN** to begin.
6.  Enter a six-digit PIN of your choice, then enter it again to confirm it.
7.  Optionally, you can add your email address to recover your PIN if you forget it.
8.  Tap **Save** or **Done**.
9.  If you added an email, enter the verification code sent to that email to complete the process.

Now, whenever you verify your phone number on WhatsApp and every so often when you open the app, you’ll need the 6-digit PIN.

****Enable it today if you can****

Even the strongest password isn’t enough on its own. 2FA means a thief must have access to your an additional factor to be able to log in to your account, whether that’s a code on a physical device or a security key. In addition to your password, this makes an account takeover much harder.

We recommend you set up 2FA on all your important accounts, including messaging and social media accounts. Do it today if you get a chance: It only takes a few minutes but can save you from hours or even days of headaches later. It’s currently the best password advice we have.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 How to set up two-step verification on your WhatsApp account 

A list of topics we covered in the week of August 25 to August 31 of 2025

August 28, 2025 - The FCC has disconnected over a thousand voice operators from the public telephone network for not doing their part to stop robocallers.

August 28, 2025 - Anthropic—maker of AI coding chatbot Claude—says cybercriminals have abused Claude to automate and orchestrate sophisticated attacks.

August 27, 2025 - To reduce the number of harmful apps targeting Android users, Google is making some changes.

August 27, 2025 - TheTruthSpy is at it again. A security researcher has discovered a flaw in the Android-based stalkerware that allows anyone to compromise any record in the system.

August 27, 2025 - Researchers have found 77 malicious apps in the official Google Play Store, ranging from adware to state of the art banking Trojans.

 A week in security (August 25 &#8211; August 31) 

WhatsApp has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks.
The vulnerability, CVE-2025-55177 (CVSS score: 8.0), relates to a case of insufficient authorization of linked device synchronization messages. Internal researchers on the

WhatsApp has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks.

The vulnerability, **CVE-2025-55177** (CVSS score: 8.0), relates to a case of insufficient authorization of linked device synchronization messages. Internal researchers on the WhatsApp Security Team have been credited with discovering and rerating the bug.

The Meta-owned company said the issue "could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target's device."

The flaw affects the following versions -

*   WhatsApp for iOS prior to version 2.25.21.73
*   WhatsApp Business for iOS version 2.25.21.78, and
*   WhatsApp for Mac version 2.25.21.78

It also assessed that the shortcoming may have been chained with CVE-2025-43300, a vulnerability affecting iOS, iPadOS, and macOS, as part of a sophisticated attack against specific targeted users.

CVE-2025-43300 was disclosed by Apple last week as having been weaponized in an "extremely sophisticated attack against specific targeted individuals."

The vulnerability in question is an out-of-bounds write vulnerability in the ImageIO framework that could result in memory corruption when processing a malicious image.

Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, said WhatsApp has notified an unspecified number of individuals that they believe were targeted by an advanced spyware campaign in the past 90 days using CVE-2025-55177.

In the alert sent to the targeted individuals, WhatsApp has also recommended performing a full device factory reset and keeping their operating system and the WhatsApp app up-to-date for optimal protection. It's currently not known who, or which spyware vendor, is behind the attacks.

Ó Cearbhaill described the pair of vulnerabilities as a "zero-click" attack, meaning it does not require any user interaction, such as clicking a link, to compromise their device.

"Early indications are that the WhatsApp attack is impacting both iPhone and Android users, civil society individuals among them," Ó Cearbhaill said. "Government spyware continues to pose a threat to journalists and human rights defenders."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

WhatsApp Issues Emergency Update for Zero-Click Exploit Targeting iOS and macOS Devices

A Facebook malvertising campaign is spreading the Brokewell spyware to Android users via fake TradingView ads. The malware…

A Facebook malvertising campaign is spreading the Brokewell spyware to Android users via fake TradingView ads. The malware steals crypto and personal data.

Cybersecurity researchers at Bitdefender Labs have discovered a new malicious ad campaign (malvertising) on Facebook that is actively spreading a notorious Android spyware against unsuspecting users.

The research, shared with _Hackread.com_, reveals that the campaign tricks victims into downloading Brokewell spyware, which has been operational since at least early 2024. In one previous case reported in April 2024, the Brokewell spyware was spotted spreading via Fake Chrome Updates.

****How the Ads Find Their Targets****

Researchers found that this malvertising campaign doesn’t just target a general group of users; it uses the Facebook ad network to specifically target Android users with tailored ads. In just one month, these ads have already been served to tens of thousands of users in the European Union alone, showing how eagerly cyber criminals have been attempting to spread this threat.

The campaign’s modus operandi involves attackers creating advertisements that look like they’re from the legitimate platforms. For example, one company specifically targeted in this malvertising is TradingView, a widely used online trading platform.

As shown in the screenshot below, scammers have used the company’s branding and visuals. These ads promise a high-value item, a free premium app, to trick users into clicking.

Malicious ads which spread BrokeWell malware – Source: Bitdefender Labs

****New Features****

According to researchers, once installed, the malware displays spyware and Remote Access Trojan (RAT) capabilities, suggesting that this is an advanced version of Brokewell.

The malware then requests permissions, often posing as fake update prompts, to gain total control. It can steal cryptocurrencies, bypass two-factor authentication, and even take over a user’s accounts.

It also allows the attackers to record screen activity, log keystrokes, and use the device’s camera and microphone. The malware can even intercept sensitive text messages, including banking and security codes.

All these capabilities show Android spyware is out of control, and as more people rely on smartphones for banking, crypto wallets, and other financial apps, a single compromised device can give hackers access to a person’s entire financial life. Researchers suggest the following security tips to stay protected from such campaigns:

*   Avoid clicking on ads on social media.

*   Check website URLs carefully for fakes.

*   Review app permissions before granting them.

*   Avoid installing apps from unofficial sources (sideloading).

*   Be cautious of ads, even on trusted platforms like Facebook.

Tag

#android