WhatsApp has announced it will start showing its users targeted ads. Will this be yet another Meta "Pay or OK" choice?

WhatsApp has announced that it will start to show you targeted ads on the app. The ads, it says, will appear under the **Updates** tab.

WhatsApp launched the Updates tab a year ago, and now 1.5 billion people visit it every day. Updates has historically been a place for users to follow news and updates from their favorite companies, news organizations and celebrities. 

This is different to the **Chats** tab where users send and receive messages. Chats remain end-to-end encrypted and, according to Meta’s vice president for product management Nikila Srinivasan, will not display ads.

To determine your interests for ad purposes, WhatsApp says:

> “We’ll use limited info like your country or city, language, the Channels you’re following, and how you interact with the ads you see. For people that have chosen to add WhatsApp to Accounts Center, we’ll also use your ad preferences and info from across your Meta accounts.”

That means that anyone who has linked their Facebook or Instagram accounts with their WhatsApp account will now have that data used for ad targeting. This cross-platform integration feels like a significant invasion of privacy, especially for users who expected WhatsApp to remain more private than Facebook or Instagram.

The European privacy group NOYB (None Of Your Business) has already voiced concerns, warning that WhatsApp may soon adopt the same “Pay or OK” model as Facebook and Instagram to obtain the user consent that’s required under EU law.

With Meta’s “Pay or OK” system, users face a choice between two options nobody asked for: either pay a monthly subscription fee to avoid targeted ads and tracking, or accept extensive data collection and personalized advertising in exchange for free access. If you don’t want your data tracked, you must pay. If you don’t pay, you must accept tracking and profiling for ads.

Meta introduced this model in response to strict privacy regulations in Europe, especially the General Data Protection Regulation (GDPR), which requires companies to get clear, “freely given” consent from users before using their data for personalized ads.

In the past, Meta has argued that it had obtained a ruling of the Court of Justice of the European Union (CJEU) that accepted the subscription model as a valid form of consent for an ads funded service.

Meta also said its pricing was in line with those of ad-free services such as YouTube Premium and Spotify Premium. However, it conveniently forgot to consider that ad-free services are not the same as those that gather data about you and sell them to the highest bidder to create personalized ads.

WhatsApp built its reputation on privacy, with end-to-end encryption and minimal data collection. And, as privacy advocates feared, bringing it into the Meta “family” moved the platform away from its privacy-first roots.

Even if WhatsApp says it won’t read your messages, it can still use your usage patterns, contacts, and other metadata to build detailed profiles for advertisers. This increases the risk of data leaks, misuse, or surveillance.

**What can users do?**

A while back I asked whether it was a good idea to move from WhatsApp to Signal. With this new development, the question may be worth reconsidering.

If you’re on iOS 18, you can now allow WhatsApp to access only selected contacts instead of your entire address book. This reduces the amount of data WhatsApp can collect about your network.

On Android, you can technically use WhatsApp without granting access to your contacts, but you’ll need to manually start chats using wa.me links. Or, for convenience, you can use a third-party app that does the work for you.

WhatsApp frequently adds or changes privacy options, so revisit your settings periodically to maintain control.

If you can, disassociate your WhatsApp account from other Meta accounts you may have. Don’t use the same email address, handle, etc. You can remove your WhatsApp account from the Meta Accounts Center, but it is unclear whether Meta will “remember” the link if it once existed.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 WhatsApp to start targeting you with ads 

Unity is one of the most popular game engines for mobile and cross-platform app development. It powers millions…

Unity is one of the most popular game engines for mobile and cross-platform app development. It powers millions of games and applications across platforms including iOS, Android, and desktop.

While building an engaging app is important, monetization is what turns your development effort into a sustainable business. In this article, we explore the best practices for monetizing Unity apps, with a particular focus on advertising and in-app purchases (IAP).

****Why Monetization Strategy Matters****

Choosing the right monetization strategy from the start can greatly influence your app’s success. A poorly implemented monetization model can frustrate users and result in low retention, while a smart and balanced approach can enhance both user experience and revenue.

Unity supports a range of monetization options, and developers often use a combination of strategies for maximum effect.

****1\. Advertising in Unity Apps********Types of Ads:****

*   **Interstitial Ads**: Full-screen ads are shown at natural pauses, such as between game levels.
*   **Banner Ads**: Small, less intrusive ads are usually displayed at the top or bottom of the screen.
*   **Rewarded Video Ads**: Popular among free-to-play games. Users watch an ad to receive a reward (e.g., coins or extra lives).

****Best Practices for Ads:****

*   Rewarded ads should offer meaningful incentives.
*   Use **Unity Ads SDK** for smooth integration and optimization.
*   Track ad performance and optimize placements using A/B testing.
*   Don’t overwhelm users with too many ads; prioritize user experience.

****2\. In-App Purchases (IAP)****

In-app purchases are a direct way to monetize your users by offering them value-added items or features.

****Common IAP Models:****

*   **Consumables**: Virtual currency, energy refills, boosters.
*   **Subscriptions**: Ongoing access to premium features.
*   **Non-consumables**: One-time purchases like removing ads or unlocking levels.

****Best Practices for In-App Purchases:****

*   Create urgency and exclusivity using limited-time offers.
*   Ensure IAPs provide genuine value and enhance gameplay.
*   Use visual cues and UI prompts to showcase the benefits of premium items.
*   Offer a mix of price points (e.g., $0.99 to $29.99) to appeal to different user segments.

****Technical Integration:****

*   Unity provides a built-in **IAP package** that supports both Android and iOS.
*   Follow platform-specific guidelines (Google Play Billing, Apple’s StoreKit).

Need help setting up in-app purchases? Check out this step-by-step Unity in-app purchases tutorial to guide your implementation.

****3\. Hybrid Monetization Model****

Many successful apps combine ads and IAPs to maximize their revenue:

*   Use rewarded ads alongside virtual currency purchases.
*   Offer the base game for free with ads, and provide an IAP option to remove ads.
*   Offer a subscription model that includes an ad-free experience and exclusive items.

This hybrid approach caters to both free users and paying users, creating a more inclusive ecosystem.

****4\. Analyze User Behavior and Monetization Funnels****

Tracking and analyzing user data is critical to optimize your monetization strategy:

*   Monitor user retention and churn rate.
*   Segment users into cohorts for personalized offers.
*   Identify points where users are most likely to spend.
*   Use heatmaps and session recordings to study in-app behaviour.

Unity Analytics and third-party tools like Firebase or Adjust can help you gain insights into user behaviour.

****5\. A/B Testing and Optimization****

Don’t rely on guesswork, test everything:

*   Try various ad placements and formats.
*   Test different IAP price points and bundle options.
*   Test UI changes to see what improves conversion rates.

Run A/B tests over a sufficient sample size and make data-backed decisions to improve LTV (lifetime value) and ARPU (average revenue per user).

****Final Thoughts****

Monetizing Unity apps requires more than just plugging in ads or setting up a store. A well-thought-out strategy that balances user satisfaction and revenue potential is key. Whether you’re developing a game or a utility app, combining in-app purchases with ad-based models and continuously optimizing based on user behaviour will help you achieve long-term success.

How to Monetize Unity Apps: Best Practices

Law enforcement has more tools than ever to track your movements and access your communications. Here’s how to protect your privacy if you plan to protest.

A major groundswell of nationwide protests against the second Trump administration has arrived.

If you're going to join any protests, as is your right under the First Amendment, you need to think beyond your physical well-being to your digital security, too. The same surveillance apparatus that’s enabling the Trump administration’s raids of undocumented people and targeting of left-leaning activists will no doubt be out in full force on the streets.

Two key elements of digital surveillance should be top of mind for protestors. One is the data that authorities could potentially obtain from your phone if you are detained, arrested, or they confiscate your device. The other is surveillance of all the identifying and revealing information that you produce when you attend a protest, which can include wireless interception of text messages and more, and tracking tools like license plate scanners and face recognition. You should be mindful of both.

After all, police have already demonstrated their willingness to arrest and attack entirely peaceful protesters as well as journalists observing demonstrations. In that light, you should assume that any digital evidence that you were at or near a protest could be used against you.

“The Trump administration is weaponizing essentially every lever of government to shut down, suppress, and curtail criticism of the administration and of the US government generally, and there have never been more surveillance toys available to law enforcement and to US government agencies,” says Evan Greer, the deputy director of the activist organization Fight for the Future, who also wrote a helpful X (then-Twitter) thread laying out digital security advice during the Black Lives Matter protests in the summer of 2020. “That said, there are a number of very simple, concrete things that you can do that make it exponentially more difficult for someone to intercept your communications, for a bad actor to ascertain your real-time location, or for the government to gain access to your private information.”

_This story was originally published on May 31, 2020 and updated on June 12, 2025._

**Your Phone**

The most important decision to make before leaving home for a protest is whether to bring your phone—or what phone to bring. A smartphone broadcasts all sorts of identifying information; law enforcement can force your mobile carrier to cough up data about what cell towers your phone connects to and when. Police in the US have also been documented using so-called stingray devices, or IMSI catchers, that impersonate cell towers and trick all the phones in a certain area into connecting to them. This can give cops the individual mobile subscriber identity number of everyone at a protest at a given time, undermining the anonymity of entire crowds en masse.

“The device in your pocket is definitely going to give off information that could be used to identify you,” says Harlo Holmes, director of digital security at the Freedom of the Press Foundation, a nonprofit press advocacy group. (Disclosure: WIRED’s global editorial director, Katie Drummond, serves on Freedom of the Press Foundation’s board.)

For that reason, Holmes suggests that protesters who want anonymity leave their primary phone at home altogether. If you do need a phone for coordination or as a way to call friends or a lawyer in case of an emergency, keep it off as much as possible to reduce the chances that it connects to a rogue cell tower or Wi-Fi hot spot being used by law enforcement for surveillance. Sort out logistics with friends in advance so you only need to turn your phone on if something goes awry. Or to be even more certain that your phone won’t be tracked, keep it in a Faraday bag that blocks all of its radio communications. Open the bag only when necessary. Holmes herself uses and recommends the Mission Darkness Faraday bag.

If you do need a mobile device, consider bringing only a secondary phone you don’t use often, or a burner. Your main smartphone likely has the majority of your digital accounts and data on it, all of which law enforcement could conceivably access if they confiscate your phone. But don’t assume that any backup phone you buy will grant you anonymity. If you give a prepaid carrier your identifying details, after all, your “burner” phone could be no more anonymous than your primary device. “Don’t expect because you got it from Duane Reade that you’re automatically a character from _The Wire_,” Holmes cautions.

Instead of a burner phone, Holmes argues that it may be far more practical to simply own a secondary phone that you’ve set up to be less sensitive—leaving off accounts and apps that offer your most private information to anyone who seizes it, such as social media, email, and messaging apps. “Choosing a secondary device that limits the amount of personal data that you have on you at all times is probably your best protection,” Holmes says.

Regardless of what phone you’re using, consider that traditional calls and text messages are vulnerable to surveillance. That means you need to use end-to-end encryption. Ideally, you and those you communicate with should use disappearing messages set to self-delete after a few hours or days. The encrypted messaging and calling app Signal has perhaps the best and longest track record. Just make sure you and the people you’re communicating with are using the same app, since they’re not interoperable.

Aside from protecting your phone’s communications from surveillance, be prepared in the event police seize your device and try to unlock it in search of incriminating evidence. The first order of business is to make sure your smartphone’s contents are encrypted. iOS devices have full disk encryption on by default if you enable an access lock. For Android phones, go to **Settings**, then **Security** to make sure the **Encrypt Disk** option is turned on. (These steps may differ depending on your specific device.)

Regardless of your operating system, always protect devices with a long, strong passcode rather than a fingerprint or face unlock. As convenient as biometric unlocking methods are, it may be more difficult to resist an officer forcing your thumb onto your phone’s sensor, for instance, than to refuse to tell them a passcode. So if you use biometrics day-to-day for convenience, disable them before heading into a protest.

If you insist on using biometric unlocking methods to have faster access to your devices, keep in mind that some phones have an emergency function to disable these types of locks. Hold the wake button and one of the volume buttons simultaneously on an iPhone, for instance, and it will lock itself and require a passcode to unlock rather than FaceID or TouchID, even if they’re enabled. Most devices also let you take photos or record video without unlocking them first, a good way to keep your phone locked as much as possible.

**Your Face**

Face recognition has become one of the most powerful tools to identify your presence at a protest. Consider wearing a face mask and sunglasses to make it far more difficult for you to be identified by face recognition in surveillance footage or social media photos or videos of the protest. Fight for the Future’s Greer cautions, however, that the accuracy of the most effective face recognition tools available to law enforcement remains something of an unknown, and a simple surgical mask or KN95 may no longer be enough to defeat well-honed face-tracking tech.

If you’re serious about not being identified, she says, a full-face mask may be far safer—or even a Halloween-style one. “I've seen people wear funny cosplay-style cartoon masks or mascot suits or silly costumes,” says Greer, offering as an example Donald Trump and Elon Musk masks that she’s seen protesters wear at Tesla Takedown protests against Musk and the so-called Department of Government Efficiency (DOGE). “That's a great way to defy facial recognition and also make the protest more fun.”

You should also consider the clothes you’re wearing before you head out. Colorful clothing or prominent logos makes you more recognizable to law enforcement and easier to track. If you have tattoos that make you identifiable, consider covering them.

Greer cautions, though, that preventing determined surveillance-empowered agencies from learning the mere fact that you attended a protest at all is increasingly difficult. For those of you in the most sensitive positions—such as undocumented immigrants at risk of deportation—she suggests that you consider staying home rather than depend on any obfuscation technique to mask their presence at an event.

If you’re driving a car to a protest—your own or someone else’s—consider that automatic license plate readers can easily identify the vehicle’s movements. And, in addition to license plates, be aware that these same sensors can also detect other words and phrases, including those on bumper stickers, signs, and even T-shirts.

More broadly, everyone who attends a protest needs to consider—perhaps more than ever before—what their tolerance for risk might be, from mere identification to the possibility of arrest or detention. “I think it's important to say that protesting in the US now comes with higher risks than it used to—it comes with a real possibility of physical violence and mass arrest,” says Danacea Vo, the founder of Cyberlixir, a cybersecurity provider for nonprofits and vulnerable communities. “Even just compared to protests that happened last month, people were able to just show up barefaced and march. Now things have changed.”

**Your Online Footprint**

Though most privacy and security considerations for attending an in-person protest naturally relate to your body, any devices you bring with you, and your physical surroundings, there are a set of other factors to think about online. It’s important to understand how posts on social media and other platforms before, during, or after a protest could be collected and used by authorities to identify and track you or others. Simply saying on an online platform that you are attending or attended a protest puts the information out there. And if you take photos or videos during a protest, that content could be used to expand law enforcement’s view of who attended a protest and what they did while there, including any strangers who appear in your images or footage.

Authorities can come to your online presence by looking for information about you in particular, but can also arrive there using bulk data analysis tools like Dataminr that offer law enforcement and other customers real-time monitoring connecting people to their online activity. Such tools can also surface past posts, and if you’ve ever made violent comments online or alluded to committing crimes—even as a joke—law enforcement could discover the activity and use it against you if you are questioned or arrested during a protest. This is a particular concern for people living in the US on visas or those whose immigration status is tenuous. The US State Department has said explicitly that it is monitoring immigrants’ and travelers’ social media activity.

In addition to written posts, keep in mind that files you upload to social media might contain metadata like time stamps and location information that could help authorities track protest crowds and movement. Make sure you have permission to photograph or videotape any fellow protesters who would be potentially identifiable in your content. Also think carefully before livestreaming. It’s important to document what’s going on but difficult to be sure that everyone who could show up in your stream is comfortable being included.

Even if you take photos and videos that you don’t plan to post on social media or otherwise share, remember that this media could fall into law enforcement’s hands if they demand access to your device.

With federal crackdowns on protests ramping up around the country, Cyberlixir’s Vo says that people must assess each situation and weigh the benefits of maintaining personal privacy versus chronicling the reality of what’s happening at protests.

“Social media monitoring and online profiling is the factor that lots of people forget. Those who publish footage on social media should avoid sharing photos or videos that reveal people's faces,” she says. “But I also believe that documenting what’s going on is essential, especially in high-risk conditions, because when the state escalates we need proof for legal defense, for public record, for future organizing, and also to keep ourselves physically safe in real time.”

As protests continue—with the real possibility of even further escalated response from the Trump administration—be prepared for the emergence of forms of digital surveillance that have never been used in the US before to counter civil disobedience or to retaliate against protesters after the fact. Protesters will need to stay vigilant, and Fight for the Future’s Greer emphasizes that everyone has different potential vulnerabilities and tolerance for risk. For people of every category of risk, however, a few thoughtful privacy protections can go a long way towards empowering them to hit the streets.

“Part of the goal of governments extending and implementing mass surveillance programs is to scare people and make people think twice before they speak up,” Greer says. “I think that we should be very careful in this moment not to fall into that trap.”

How to Protest Safely in the Age of Surveillance

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

Phishing attackers abuse TLDs like .li, .es, and .dev to hide redirects, steal credentials, and bypass detection. See top domains flagged by ANY.RUN in 2025.

Some phishing sites don’t need fancy tricks, just the right domain name. And you won’t always spot it until it’s too late.

Hackers have become masters at abusing certain Top-Level Domains (TLDs), like .com, .ru, or .dev, to host phishing pages, fake login portals, or malware redirects. While many TLDs are used for legitimate purposes, others are repeatedly exploited to trick users into handing over sensitive information.

Recent sandbox data from ANY.RUN highlights the **20 TLDs most frequently used in phishing campaigns** in 2025. These domains are central to fake delivery scams, credential harvesting pages, and multi-stage redirect chains.

****Which TLD is the Most Abused by Attackers?****

According to ANY.RUN’s 2025 data, the **.li** domain ranks #1 in phishing abuse by ratio. An alarming **57%** of observed .li domains were flagged as malicious. But here’s the twist: many of them don’t host phishing content directly. Instead, .li is widely used as a **redirector;** a middleman that sends unsuspecting users to fake login pages, malware downloads, or credential harvesting sites.

These indirect roles in phishing chains often go unnoticed by detection tools, making .li a quiet but dangerous enabler in many attacks.

Top 20 phishing TLDs observed inside ANY.RUN sandbox analysis sessions

For instance, in this ANY.RUN analysis session, we see a .li domain in action. At first glance, it seems harmless. 

View analysis session

.li domain observed inside the interactive sandbox

As soon as it loads, the browser is quietly redirected from the .li domain to a .com version of the same name, maintaining a sense of legitimacy before finally landing on a phishing page tied to a crypto-mining scam. 

There’s no flashy malware or obvious warning sign, just a quick, invisible switch that hands the user over to an attacker-controlled site.

Phishing page detected by ANY.RUN sandbox

This kind of redirection tactic makes .li especially slippery. But it can be easily spotted inside the ANY.RUN sandbox, where analysts can **trace every redirection in real-time**, uncover hidden phishing paths, and extract critical IOCs before users ever click the link. Because the malicious content often lives one hop away, tools that rely only on domain blacklists or static scans frequently miss it.

Gain control over phishing investigations with full redirection paths, behaviour traces, and real-time analysis. Start analyzing with ANY.RUN.

****Other Commonly Abused TLDs in Phishing Campaigns****

While .li tops the list by ratio, it’s far from the only domain zone being misused by attackers. Several others stand out due to the **high frequency and recurring use in phishing campaigns**.

****.es: Fake Logins and Delivery Scams****

.es, Spain’s country code TLD, has become a popular choice for attackers running credential phishing and fake delivery scams. Phishing pages using .es often mimic familiar services like Microsoft 365 or postal couriers, tricking users into entering their login credentials or payment information. The domains feel local and trustworthy, making them especially dangerous for Spanish-speaking users.

Phishing attack using fake Microsoft attack with .es domain

****.sbs: Cheap Domains for Credential Harvesting****

Because .sbs domains are incredibly cheap to register, attackers use them for quick-hit phishing campaigns. These domains often host fake tracking pages, urgent payment requests, or impersonate corporate portals, each crafted to steal login details or credit card numbers. The low barrier to entry makes .sbs a go-to for disposable phishing infrastructure.

Malicious activity with .sbs domain detected by ANY.RUN

****.cfd: Frequently Used in Phishing Kits****

Another budget TLD, .cfd shows up often in phishing kits posing as document sharing or government portals. These sites may appear to be PDF viewers or tax forms but are designed to harvest sensitive information, usually corporate credentials or ID data.

Since the branding is generic and the sites are throwaway, attackers can spin them up in bulk.

Phishing attack with .cfd domain observed inside interactive sandbox

****.ru: Familiar-Looking but Malicious****

Despite being a legitimate country-code domain, .ru remains a common sight in malicious campaigns. Many phishing actors use it to lend a sense of credibility, especially when targeting users in or near Russia. It’s frequently used to host fake login forms or distribute malware disguised as software downloads.

.ru domain with a fake Microsoft login page detected by ANY.RUN

****.dev: Abused via Trusted Platforms****

.dev domains are often tied to Google’s hosting services, such as pages.dev and workers.dev, giving them an automatic layer of legitimacy through HTTPS and clean interfaces. Phishing pages hosted here can look polished and professional, making them harder to distinguish from real services, even for tech-savvy users. This makes .dev a powerful tool for impersonating SaaS platforms or cloud services.

Workers.dev abused by attackers

****The Fastest Way to Uncover Phishing Threats****

Interactive sandboxes like ANY.RUN allows security teams to safely detonate suspicious URLs, monitor real-time redirections, and expose phishing behaviour as it unfolds. With verdicts in under 40 seconds, analysts can quickly understand whether a domain is benign, malicious, or part of a broader campaign.

Key benefits for SOC teams:

*   **Trace full redirect chains** – Follow every jump, even when the initial domain appears harmless or masked behind a short link.
*   **Uncover phishing kits, credential stealers, and scam pages** – See phishing behaviour in action, including form captures, fake login flows, and injected scripts.
*   **Extract IOCs and artefacts automatically** – Get domain names, URLs, IPs, dropped files, and more without manual digging.
*   **Reduce investigation time and false positives** – Use behaviour-based verdicts to make faster, more confident decisions.
*   **Inspect phishing pages across platforms** – Identify threats targeting Windows, Android, Linux, and web environments from a single interface.
*   **Simulate real user behaviour** – Interact with phishing pages to trigger hidden actions like redirects, pop-ups, or fake login prompts.
*   **Generate shareable reports instantly** – Export evidence and IOC-rich reports for incident response, team handoffs, or client notifications.

20 Top-Level Domain Names Abused by Hackers in Phishing Attacks

A mobile scam finds most people at least once a week, new Malwarebytes research reveals. The financial and emotional consequences are dire.

It’s become so troublesome owning a phone.

Malicious texts pose as package delivery notifications, phishing emails impersonate trusted brands, and unknown calls hide extortion attempts, virtual kidnapping schemes, or AI threats. Confusingly, even legitimate businesses now lean on outreach tactics that have long been favored by online scammers—asking people to scan QR codes, download mobile apps, and trade direct messages with, essentially, strangers.

All this junk is adding up, and it’s hurting everyday people.

According to new research conducted by Malwarebytes, 44% of people encounter a mobile scam every single day, while 78% encounter scams at least weekly. The victims of those scams—be they people who accidentally clicked on a link, filled out their information on a malicious webpage, or simply believed the person on the other side of a social media account—also suffered serious harms to their finances, emotions, and reputations. As Malwarebytes learned, 25% of scam victims were harassed or blackmailed, 19% had private info exposed, and 15% permanently lost their money.

As shared by one scam victim writing about their experience:

> “I felt like I was in a horror movie. I never thought it would happen to me like this.”

These are the latest findings from original research conducted by Malwarebytes to understand the reach, frequency, and impact that mobile scams have across multiple countries. By surveying 1,300 people over the age of 18 in the US, UK, Austria, Germany, and Switzerland, Malwarebytes can reveal a mobile reality full of tension: high concern, low action, and increasingly blurred lines between what’s safe and what’s not.

The complete findings can be found in the latest report, “Tap, swipe, scam: How everyday mobile habits carry real risk.” You can read the full report below.

Here are some of the key findings:

*   77% of people worry about mobile scams and threats. The biggest fears are around financial loss and fraud (73%), account and device lockout (70%), and identity theft (68%).
*   66% worry about the future of AI and how realistic scams are going to become.
*   Just 15% of people strongly agreed: “I am confident in my ability to tell when something on my mobile phone is a scam.”
*   74% of people have encountered a social engineering scam in their lives, such as phishing attempts, fake FedEx notifications, or romance scams, and 36% have fallen victim.
*   37% of people have encountered an extortion scam and 17% have fallen victim, including 7% who were harmed specifically by a sextortion scam.  
*   10% of people have a “safe word” in their family to “protect against things like kidnapping and extortion scams.”
*   52% of scam victims suffered financially: 18% had to freeze their credit, 15% lost money permanently, and 8% had accounts opened fraudulently in their name.
*   Only 20% of people use traditional security measures like antivirus, a VPN, and identity theft protection.
*   25% of people do not worry about scams at all because “it’s not something I can control.”

This is the mobile world that the public is forced to live in, and the mobile world that future generations may soon inherit. While broad, bold action is required to meaningfully catch and stop scammers, everyday people can lean on many cybersecurity best practices to stay safe and secure online. From using unique passwords, to implementing multifactor authentication (MFA), there is plenty at hand to make life more difficult for scammers.

Importantly, there’s also help from Malwarebytes.

With the launch of our free, AI-powered digital safety companion **Scam Guard**, users can review any concerning text, email, phone number, link, image, or online message and receive on the spot guidance to avert and report scams. Try it today and remove the fear from being online.

Scam Guard is available for both free and paid users of Malwarebytes Mobile Security (iOS and Android), without having to install an additional app.  

Try it out for yourself: Download Malwarebytes Mobile Security for iOS or Android.

 44% of people encounter a mobile scam every single day, Malwarebytes finds 

A list of topics we covered in the week of June 1 to June 7 of 2025

June 6, 2025 - How to update Chrome on every Operating System (Windows, Mac, Linux, Chrome OS, Android, iOS)

June 6, 2025 - Cybercriminals are abusing the hospitality industry and its booking platforms to defraud the travelers that visit them

June 5, 2025 - Ransomware has been discovered by security researchers in fake installers posing as Chat GPT, Nova Leads, and InVideo AI.

June 4, 2025 - Google has released an important update for Chrome, patching one actively exploited zero-day and two other security flaws

June 3, 2025 - As scammers develop new ways of exploiting unsuspecting users, Malwarebytes is introducing Scam Guard to combat this new wave of threats.

 A week in security (June 1 &#8211; June 7) 

Over 20 malicious apps on Google Play are stealing crypto seed phrases by posing as trusted wallets and exchanges, putting users' funds at risk.

A recent investigation by threat intelligence firm Cyble has spotted a campaign targeting cryptocurrency users through the Google Play Store with more than 20 malicious Android applications.

These apps, disguised as trusted crypto wallets like SushiSwap, PancakeSwap, Hyperliquid, and Raydium, have been found harvesting users’ 12-word mnemonic phrases, the keys that unlock their crypto funds.

These apps mimic legitimate wallet interfaces, luring users into entering sensitive recovery phrases. Once entered, the attackers can access the real wallets and empty them. While Google has removed many of these fake apps following Cyble’s report, a handful remain live on the store and have been flagged for removal.

****How the Scam Works****

According to Cyble’s report shared with Hackread.com, the fraudulent apps carry names and icons of well-known crypto platforms and appear under developer accounts that previously hosted genuine apps, including games, video downloaders, and streaming tools. These accounts, some with more than 100,000 downloads, appear to have been hijacked and repurposed to distribute the malicious apps.

Screenshot showing a developer account that previously published legitimate apps, now used for malicious activity (Credit: Cyble)

In several cases, the apps use a development tool known as the “Median framework” to quickly turn phishing websites into Android apps. The apps load these phishing pages directly inside a WebView, an embedded browser window, that asks users for their mnemonic phrase under the guise of wallet access.

The campaign isn’t only widespread in scale but also coordinated in its infrastructure. One phishing domain found by Cyble was linked to over 50 similar domains, all part of the same broader effort to compromise wallet security.

Cyble’s researchers also noticed a pattern in how these fake apps operate. Many of them include links in their privacy policies that actually lead to phishing websites designed to steal users’ wallet recovery phrases. The apps also tend to follow similar naming styles, which points to the use of automated tools to quickly create and publish them.

On top of that, several apps are connected to the same servers or websites, showing they’re part of a larger, organized effort. Some of the fake domains linked to these apps include:

*   bullxnisbs
*   hyperliqwsbs
*   raydifloydcz
*   sushijamessbs
*   pancakefentfloydcz

These domains impersonate various wallet providers and serve pages meant to trick users into handing over their seed phrases. Meanwhile, the partial list of malicious apps, courtesy of Cyble, is available below:

1.  Raydium
2.  SushiSwap
3.  Suiet Wallet
4.  Hyperliquid
5.  BullX Crypto
6.  Pancake Swap
7.  Meteora Exchange
8.  OpenOcean Exchange
9.  Harvest Finance Blog

Despite efforts to remove the apps, the campaign is ongoing. As of this report, a few remain active on the Play Store. The quick replication of these apps using off-the-shelf frameworks suggests the attackers could easily spin up more fake apps if not quickly blocked.

This poses a serious risk. Unlike traditional banking, there is no safety net for crypto theft. Once a wallet is drained, the funds are nearly impossible to recover.

Cyble has shared detailed indicators of compromise (IOCs) including app names, package identifiers, and phishing domains, which security professionals can use to block or investigate further.

This campaign goes on to show how attackers continue to target the already vulnerable crypto space through official channels like app stores. While app platforms are working to catch malicious uploads, users remain on the receiving end of these cybersecurity threats. Therefore, users are urged to watch out and follow these steps to protect themselves:

Watch for red flags like low review counts, recently republished apps, or links to strange domains in privacy policies.

*   Avoid downloading and installing unnecessary apps.

*   Enable Google Play Protect to help identify potentially harmful apps.

*   Use biometric security and two-factor authentication where available.

*   Always watch out while downloading apps from third-party as well as official stores.

*   Never enter your 12-word phrase into any app or website unless you’re certain it’s legitimate.

Over 20 Malicious Apps on Google Play Target Users for Seed Phrases

Plus: A 22-year-old former intern gets put in charge of a key anti-terrorism program, threat intelligence firms finally wrangle their confusing names for hacker groups, and more.

Since it’s already chaos out there, this week, we thought we’d lean into the madness by envisioning the future threats that you’re not ready for. From cyberattacks on the US grid to GPS blackouts, rampant deepfake scams, AI-powered super hackers, and widespread communication system collapse, there’s a whole spectrum of scenarios that could take things from bad to worse.

All is not lost, however—at least if you’re Ross Ulbricht. The creator of the Silk Road dark web market, who was pardoned by President Donald Trump earlier this year, received a mysterious $31 million bitcoin donation last weekend. Crypto-tracing firm Chainalysis now suspects the lavish gift may have come from a vendor at another now-defunct black market, AlphaBay.

A trove of public records reviewed by WIRED this week reveal a years-long effort by a farming industry group to get the FBI to treat animal rights activists as a “bioterrorist” threat. The Animal Agriculture Alliance (AAA) was repeatedly in contact with the bureau’s Weapons of Mass Destruction Directorate about the activities of groups like Direct Action Everywhere, or DxE. The records show that AAA fed intelligence about DxE to the FBI and used corporate spies to infiltrate the group’s activities.

Immigration and Customs Enforcement recently updated its guidance for agents who carry out courthouse raids and other “enforcement actions” in and nearby court houses, according to an agency document reviewed by WIRED. The updated policy removes language that explicitly instructed agents to ensure they followed local and state laws.

Anyone who was trying to play a new video game on Christmas Day in 2014 likely remembers the infamous Lizardsquad hack of Xbox Live and Playstation Network. Now, more than a decade later, we finally have the full story.

But that’s not all! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Mysterious iPhone Crashes Hint at a Chinese Hacks. Apple Denies It**

The security firm iVerify this week brought to light a series of suspicious iPhone crashes that researchers say might just indicate a stealthy, unprecedented Chinese zero-click hacking campaign victimizing American phones, including even those of staffers for the Harris-Walz presidential campaign. Or it’s a random, not-particularly-dangerous bug that Apple has already squashed.

In a report released Thursday, iVerify assessed with “moderate confidence” that China-linked hackers may have targeted a series of iPhones with a sophisticated exploit, going after activists and dissidents critical of China, an EU government official, tech executives at AI firms competing with Chinese ones, and US political staffers—revealed by NBC News to be employees of the Harris-Walz campaign. iVerify didn’t have a sample of the malware that might have infected those phones or other definitive proof that any hacking occurred. But it pointed to signs that seem like more than coincidences: The staffers whose phones had experienced the crashes had also been warned by the FBI that they’d already been targeted in China’s Salt Typhoon hacking campaign against US telecoms. Another owner of the devices that crashed in the same way was later warned by Apple itself that he or she had been targeted by sophisticated hackers.

All of that would represent a serious threat to national security. Except that, strangely, Apple flatly denies it happened. “We strongly disagree with the claims of a targeted attack against our users,” Apple’s head of security engineering, Ivan Krstić, wrote in a statement to WIRED. Apple has patched the issue that iVerify highlighted in its report, which caused iPhones to crash in certain cases when a message sender changed their own nickname and avatar. But it calls those crashes the result of a “conventional software bug,” not evidence of a targeted exploitation. (That blanket denial certainly isn’t Apple’s usual response to confirmed iPhone hacking. The company has, for instance, sued hacking firm NSO group for its targeting of Apple customers.)

The result is that what might have been a four-alarm fire in the counterintelligence world is reduced—for now—to a very troubling enigma.

**A 22-Year-Old Is Running a Key US Anti-Terrorism Program**

A 22-year-old former intern at the Heritage Foundation with no national security experience has reportedly been appointed to a key Department of Homeland Security role overseeing a major program designed to combat domestic terrorism.

According to Propublica, Thomas Fugate last month assumed leadership of the Center for Programs and Partnerships (CP3), a DHS office tasked with funding nationwide efforts to prevent politically motivated violence—including school shootings and other forms of domestic terrorism.

Fugate, a 2024 graduate of the University of Texas at San Antonio, replaced the former CP3 director, Bill Braniff, an Army veteran with 20 years of national security experience who resigned in March following staff cuts ordered by the Trump administration.

According to CP3’s most recent report to Congress, the office has funded more than 1,100 initiatives aimed at disrupting violent extremism. In recent months, the US has seen a string of high-profile targeted attacks, including a car bombing in California and the shooting of two Israeli Embassy aids in Washington, DC. Its $18 million grant program, designed to support local prevention efforts, is reportedly now under Fugate’s supervision.

**Threat Intelligence Firms (Finally) Agree to a Glossary of Hacker Group Names**

Hacker group names have long been an unavoidable absurdity in the cybersecurity industry. Every threat intelligence company, in a scientifically defensible attempt to not make any assumption that they’re tracking the same hackers as another firm, comes up with their own code name for any group they observe. The result is a somewhat silly profusion of overlapping naming systems based on elements, weather, and zoology: “Fancy Bear” is “Forest Blizzard” is “APT28” is “Strontium.” Now, several major threat intelligence players, including Google, Microsoft, CrowdStrike, and Palo Alto Networks, have finally shared enough of their internal research to agree to a glossary that confirms that they’re referring to the same entities. The companies did _not,_ however, agree to consolidate their naming systems into a single taxonomy. So this agreement doesn’t mean the end of sentences in security reporting such as “the hacker group Sandworm, also known as Telebots, Voodoo Bear, Hades, Iron Viking, Electrum, or Seashell Blizzard.” It just means we cybersecurity reporters can write that sentence with a little more confidence.

**Phone-Hacking Firm Corellium Acquired for $200 Million—After Trump Pardons Its Founder**

Chris Wade, the founder and CTO of mobile device reverse-engineering company Corellium, has had a wild last few decades: In 2005, he was convicted on criminal charges of enabling spammers by providing them proxy servers, and agreed to work undercover for law enforcement while avoiding prison. Then in 2020, he mysteriously received a pardon from President Donald Trump. He also settled a major copyright lawsuit from Apple. Now his company, which creates virtual images of Android and iOS devices so that customers can find ways to break into them, is being acquired by phone-hacking firm Cellebrite, a major law enforcement contractor, for $200 million—a significant payday for a hacker who has found himself on both sides of the law.

The Mystery of iPhone Crashes That Apple Denies Are Linked to Chinese Hacking

In an effort to evade detection, cybercriminals are increasingly turning to “residential proxy” services that cover their tracks by making it look like everyday online activity.

For years, gray-market services known as “bulletproof” hosts have been a key tool for cybercriminals looking to anonymously maintain web infrastructure with no questions asked. But as global law enforcement scrambles to crack down on digital threats, they have developed strategies for getting customer information from these hosts and have increasingly targeted the people behind the services with indictments. At the cybercrime-focused conference Sleuthcon in in Arlington, Virginia, today, researcher Thibault Seret outlined how this shift has pushed both bulletproof hosting companies and criminal customers toward an alternative approach.

Rather than relying on web hosts to find ways of operating outside law enforcement's reach, some service providers have turned to offering purpose-built VPNs and other proxy services as a way of rotating and masking customer IP addresses and offering infrastructure that either intentionally doesn't log traffic or mixes traffic from many sources together. And while the technology isn't new, Seret and other researchers emphasized to WIRED that the transition to using proxies among cybercrminals over the last couple of years is significant.

“The issue is, you cannot technically distinguish which traffic in a node is bad and which traffic is good,” Seret, a researcher at the threat intelligence firm Team Cymru, told WIRED ahead of his talk. “That's the magic of a proxy service—you cannot tell who’s who. It's good in terms of internet freedom, but it's super, super tough to analyze what’s happening and identify bad activity.”

The core challenge of addressing cybercriminal activity hidden by proxies is that the services may also, even primarily, be facilitating legitimate, benign traffic. Criminals and companies that don't want to lose them as clients have particularly been leaning on what are known as “residential proxies,” an array of decentralized nodes that can run on consumer devices—even old Android phones or low-end laptops—offering real, rotating IP addresses assigned to homes and offices. Such services offer anonymity and privacy, but can also shield malicious traffic.

By making malicious traffic look like it comes from trusted consumer IP addresses, attackers make it much more difficult for organizations' scanners and other threat detection tools to spot suspicious activity. And, crucially, residential proxies and other decentralized platforms that run on disparate consumer hardware reduce a service provider's insight and control, making it more difficult for law enforcement to get anything useful from them.

“Attackers have been ramping up their use of residential networks for attacks over the last two to three years,” says Ronnie Tokazowski, a longtime digital scams researcher and cofounder of the nonprofit Intelligence for Good. “If attackers are coming from the same residential ranges as, say, employees of a target organization, it's harder to track.”

Criminal use of proxies isn't new. In 2016, for example, the US Department of Justice said that one of the obstacles in a years-long investigation of the notorious “Avalanche” cybercriminal platform was the service's use of a “fast-flux” hosting method that concealed the platform's malicious activity using constantly changing proxy IP addresses. But the rise of proxies as a gray-market service rather than something attackers must develop in-house is an important shift.

“I don’t know yet how we can improve the proxy issue,” Team Cymru's Seret told WIRED. “I guess law enforcement could target known malicious proxy providers like they did with bulletproof hosts. But in general, proxies are whole internet services used by everyone. Even if you take down one malicious service, that doesn't solve the larger challenge.”

Cybercriminals Are Hiding Malicious Web Traffic in Plain Sight

Though the operation was partially disrupted earlier this year, the botnet remains active and continues to target connected Android devices.

Tag

#android