A list of topics we covered in the week of April 21 to April 27 of 2025

April 28, 2025 - WorkComposer, an employee monitoring app, has leaked millions of screenshots through an unprotected AWS S3 bucket.

April 25, 2025 - After hearing about ChatGPT o3 ability at geo-guessing we decided to run some tests and the tested AIs didn't fail to amaze us

April 24, 2025 - Attackers are luring victims into a Zoom call and then taking over their PC to install malware, infiltrate their accounts, and steal their assets.

April 24, 2025 - A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data.

April 24, 2025 - Blue Shield of California said it accidentally leaked the personal data of 4.7 million individuals to Google after a Google Analytics misconfiguration.

 A week in security (April 21 &#8211; April 27) 

In this episode of Uncanny Valley, our hosts explain how to prepare for travel to and from the United States—and how to stay safe.

Protecting Your Phone—and Your Privacy—at the US Border

A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data.

Got an Android phone? Got a tap-to-pay card? Then you’re like millions of other users now at risk from a new form of cybercrime – malware that can read your credit or debit card and hand its data over to an attacker. A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data and send it to cybercriminals half a world away. All you have to do is install the software and tap your card to your phone – and criminals excel at persuading you to do just that.

The malware, which cybersecurity company Cleafy calls SuperCard X, uses a feature now found in most Android phones: near-field communication (NFC). This enables your phone to read the data on a supporting payment card when it comes close enough. It’s how tap-to-pay machines found in retailers and ATMs work their magic.

Attackers get the malicious software via a malware-as-a-service model. This enables them to become affiliates for the developers of the software, who typically offer it for a percentage of the attackers’ takings. They can then focus on finding and targeting victims with social engineering attacks, which Cleafy says they’ve been doing in Italy.

**How the attack works**

First the attackers have to get the malware onto someone’s Android phone. That starts with a fraudulent ‘smishing’ message sent via SMS or WhatsApp, often impersonating a bank and asking the user to call.

The telephone number connects the victim to the attacker, who then persuades them to give up their PIN and log into their bank account. From there, they persuade the victim to remove the spending limits on their card, and then to install what they claim is a security application, sent to their phone as a link. This contains the SuperCard X malware.

Finally comes the payoff. The attacker, who by now will likely have built up a rapport with the victim, will ask them to tap their card to their phone. The malware then captures the card details, which it then sends to the attacker’s own Android phone. They can then use the phone as a cloned card for contactless payments. If you’ve ever tapped your phone instead of your card to pay for something, you’ll know how easy that is to do.

**Where did SuperCard X come from?**

Like much malware, SuperCard X didn’t come out of nowhere. Cleafy says that it shares code with another piece of malware called NGate, discovered last year. Both of these are likely built on concepts first outlined in NFCGate, a freely available open-source NFC software tool developed by German’s Technical University of Darmstadt.

SuperCard X’s developers have focused on making this software as stealthy as possible. Most antivirus programs for Android fail to spot it, says Cleafy. That’s because it asks for as few privileges as possible on the phone, and it doesn’t include many of the features that other malware has. In short, the less that a malicious program does on a phone, the smaller its footprint is and the more silent it can be.

This malware is a cybercriminal’s favorite for several reasons. Rather than attacking people with accounts at a particular bank, it works against anyone with a payment card, increasing the attacker’s scope. It’s also instant, compared to thefts by wire transfer, which can take days to complete.

It is important to note that payment framework**s** like Google Pay, Apple Pay, Samsung Pay, and som b**a**nk-specific wallet apps  use dynamic cryptographic tokens — which are similar in concept to the “rolling codes” often used in car keyless entry systems — to prevent signal replay attacks.

**How to protect yourself**

But, as with many things, the best defense is you. In this case, protection is simple. The cybercriminals behind this attack can’t do anything unless you install the software on your phone, and so they go through several steps to convince you to do so.

Be skeptical of text messages from people you don’t know, especially those claiming to be urgent. Scammers typically try and panic you into a fast response. When they get you on the phone, they can befriend you, further impeding your ability to think critically and say “no”.

If you can’t help yourself and feel compelled to take action, check in with a trusted family member if available to get their perspective. If you’re still convinced, then at least verify the message first. Call your financial institution through an official number – not through the one in the text message. We’ll bet a steak dinner that they won’t know what you’re talking about.

Never give personal details to anyone you don’t know who contacts you via text message, and never change your banking details at their request. And if anyone asks you to install software sent via text message, refuse and end the communication.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android malware turns phones into malicious tap-to-pay machines 

Cybersecurity researchers have revealed that Russian military personnel are the target of a new malicious campaign that distributes Android spyware under the guise of the Alpine Quest mapping software.
"The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs," Doctor Web said in an

Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices

Fake Alpine Quest app laced with spyware was used to target Russian military Android devices, stealing location data,…

Fake Alpine Quest app laced with spyware was used to target Russian military Android devices, stealing location data, contacts, and sensitive files.

A malicious version of Alpine Quest, a popular Android navigation app, has been found carrying spyware aimed at Russian military personnel. Security researchers at Doctor Web uncovered the modified software embedded with Android.Spy.1292.origin spyware capable of harvesting data and extending its functionality through remote commands.

Alpine Quest is commonly used by outdoor enthusiasts, but it’s also relied on by soldiers in Russia’s military zones due to its offline mapping features. That made it a convenient cover for attackers, who repackaged an older version of the app and pushed it as a free download through a fake Telegram channel. The link led to an app store targeting Russian users, where the infected software was listed as a pro version of the app.

Once installed, the spyware collects all sorts of information. Each time the app is opened, it sends the user’s phone number, account details, contacts, geolocation, and a list of files stored on the device to a remote server. Some of this data is also sent to a Telegram bot controlled by the attackers, including updated location details every time the user moves.

Left: Telegram channel promoting the malicious Alpine Quest app (in Russian via Dr. Web) – Right: English translation of the image using Yandex AI, via Hackread.com.

Doctor Web’s analysis shows that this spyware is capable of more than passive tracking. After identifying which files are available, the malware can be instructed to download new modules designed to extract specific content. Based on its behaviour, the attackers appear especially interested in documents shared through messaging apps like Telegram and WhatsApp. It also seeks out a file called locLog, created by Alpine Quest itself, which logs user movements in detail.

Because the spyware is bundled with a working version of the app, it looks and functions normally, giving it time to operate unnoticed. Its modular design also means its capabilities can grow over time, depending on the attackers’ goals.

Doctor Web advises users to avoid downloading apps from unofficial sources, even when they appear to offer free access to paid features. Even on official app stores, it’s best to avoid installing apps you don’t truly need. Malicious apps have been known to slip past review processes on both Google Play and the App Store.

At the time of writing, the group behind the campaign has not been identified, and it remains unclear whether this operation is domestic or foreign in origin. However, similar operations in the past have been linked to Ukrainian hacktivist groups, including Cyber Resistance, also known as the Ukrainian Cyber Alliance. In 2023, they reportedly **targeted spouses of Russian military personnel**, extracting sensitive and personal data. However, there is still no confirmed attribution for the group behind this spyware campaign.

Fake Alpine Quest Mapping App Spotted Spying on Russian Military

Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android…

Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android malware distribution via hacked WordPress, targeted attacks using XWorm and Strela Stealer, and potential connections to Chang Way Technologies.

Cybersecurity experts at Trustwave’s SpiderLabs have discovered an increase in malicious online activities originating from a Russian “bulletproof” hosting provider known as Proton66. These services, often favoured by cybercriminals due to their relaxed policies, have been linked to a wave of attacks targeting organizations worldwide since January 8, 2025.

Researchers have detailed their findings in a two-part series. The first part highlights a major increase in “mass scanning, credential brute-forcing, and exploitation attempts” coming from Proton66’s network (ASN 198953). This means attackers were actively probing for weaknesses in systems and trying to guess login details on a large scale.

SpiderLabs has also noticed an increase in scanning and exploiting traffic from Proton66’s network from January 8, 2025, with a sharp decline in February. The attacks targeted specific network blocks, the most active being 45.135.232.0/24 and 45.140.17.0/24, while some had been inactive for a significant period, with the last reported malicious activity dating back to July and November 2021.

Traffic Volume Analysis (Source: SpiderLabs)

Notably, the address 193.143.1.65, was observed connected to the operators of a new ransomware strain called SuperBlack, and its operators were distributing “some of the latest critical priority exploits,” researchers noted in the blog post.

The second part discusses malware campaigns linked to Proton66, including compromised WordPress websites redirecting Android users to fake Google Play Store pages likely to steal their information or install malicious apps.

The domain naming conventions used suggest targets speaking English (“us-playmarket.com“), French (“playstors-france.com“), Spanish (“updatestore-spain.com“), and Greek (“playstors-gr.com“).

SpiderLabs also discovered operators deploying Strela Stealer, an information-stealing tool that extracts email login credentials from targeted systems, between January and February 2025.

Another campaign involved XWorm malware targeting users of Korean-speaking chat rooms. Additionally, connections to WeaXor ransomware, a modified version of Mallox that encrypts files and demands a ransom for recovery, were detected. At the time of the report, the WeaXor group was asking for “$2,000, transferred in BTC or USDT.”

Sample Ransom Note (Source: SpiderLabs)

Interestingly, SpiderLabs’ investigation reveals a potential rebranding or connection between Proton66 and Hong Kong-based company, Chang Way Technologies Co. Limited. In November 2024, security firm Intrinsec linked Proton66 and PROSPERO to bulletproof hosting services advertised on underground forums as UNDERGROUND and BEARHOST.

SpiderLabs’s investigation revealed that while the Russian control panel for UNDERGROUND/BEARHOST customers remained at my.31337.ru, the my.31337.hk page was updated with a “CHANGWAY / HOSTWAY” theme. Still, technical connections between the infrastructures remained, suggesting an underlying link.

Technology and financial organizations are the prime targets of this campaign. However, the SuperBlack ransomware group preferred targeting non-profit, engineering, and financial sectors. Research by Forescout linked this IP address to the Mora\_001 threat actor who exploited vulnerabilities in Fortinet FortiOS devices, leading to the deployment of the SuperBlack ransomware.

It is worth noting that hackers have exploited vulnerabilities in Palo Alto Networks’ PAN-OS software (CVE-2025-0108), Mitel MiCollab (CVE-2024-41713), and D-Link NAS devices (CVE-2024-10914). D-Link has announced that the affected devices have reached their end-of-life, therefore, no security updates will be provided.

Nevertheless, researchers strongly recommend that organizations block all the internet address ranges associated with both Proton66 and Chang Way Technologies to protect themselves from potential compromise.

Trey Ford, Chief Information Security Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity, commented on the development, stating that while IPs aren’t reliable indicators of threat actors, since changing scan sources is cheap, patterns like consistent brute-force attempts still matter. “It’s a reminder to monitor login velocity, harden exposed services, and make attacks costly for low-effort actors,” he said.

Russian Host Proton66 Tied to SuperBlack and WeaXor Ransomware

A new Android malware-as-a-service (MaaS) platform named SuperCard X can facilitate near-field communication (NFC) relay attacks, enabling cybercriminals to conduct fraudulent cashouts.
The active campaign is targeting customers of banking institutions and card issuers in Italy with an aim to compromise payment card data, fraud prevention firm Cleafy said in an analysis. There is evidence to

SuperCard X Android Malware Enables Contactless ATM and PoS Fraud via NFC Relay Attacks

Text scams come in many forms and are an ever increasing threat doing an awful lot of financial, and other, damage

Text scams alone cost US citizens at least $470 million in 2024, according to new data from the US Federal Trade Commission (FTC).

Because many scams go unreported, though, this dollar amount might be considerably more. The FTC illustrated this with a graph comparing the reported losses to the number of reports.

Graph courtesy of FTC

This demonstrates that not only the damage per reported incident went up considerably, but also the total amount of damage. It also implies that a lot of incidents went unreported since we find it hard to believe that the number of scams might have declined—all it takes is a look at any single week in news coverage on Malwarebytes Labs to find stories on new scams, old scams, repeated scams, and the no-good scammers behind them.

**Top 5 text scams**

While scams reach us in many ways, the FTC focused on text scams in their report. This are the five main culprits:

1.  Package delivery problems. These are usually phishing expeditions aimed at the target paying a small amount for a redelivery, but while they are paying, their credit card details or other sensitive data are stolen.
2.  Phony job opportunities. These often come in the form of task scams, but the main story line is that a scammer posing as a recruiter gets the victim to pay for something they “need” to get the job done, or to steal the victim’s personal data.
3.  Fake fraud alerts. The fake alerts come as texts about so-called suspicious activity or about a big purchase the victim didn’t make. These texts often look like they’re from a bank or large retailer. The scammers offer help and then pressure people into moving money out of their accounts to supposedly keep it safe, when in reality it goes straight to the scammers.
4.  Toll fee scams. These attempts come as an unexpected text message linking to a website pretending to belong to one of the US toll authorities, such as E-ZPass. The texts usually create a sense of urgency by telling you there is only a limited time left to act or there will be dire consequences. Typically the scammers are out to steal personal information and/or payment details.
5.  Wrong number scams. An unexpected message that looks innocent enough from someone you don’t know but they act as if they know you. The idea is to get the target to tell them they’ve got a wrong number and with that engage them in a conversation, which may lead to romance scams, pig butchering, or other investment scams.

**Let’s work together to bring the numbers down**

Malwarebytes Mobile Security offers Text Protection, a feature that alerts users about potentially malicious or scam text messages. This feature works by analyzing incoming messages from unknown senders, checking for signs of scams, phishing links, or other malicious content. If a message is flagged, Android users receive a notification, while iOS users have the message deleted.

**iOS**

To enable Text Message Filtering on iOS devices, go to the iOS Settings app and explicitly enable it in the under **Messages > Unknown & Spam**. This is required for iOS to communicate with Malwarebytes about text messages.

**Android**

*   On the Mobile Security dashboard, toggle On Text Protection.
*   Tap Go to settings to grant Malwarebytes permission to alert over other apps.
*   Tap Give permissions, then tap Allow to allow the app to scan your text messages.
*   Once both permissions are granted, the Text Protection feature is active.

It’s also important to report scams. For US Citizens, report to the FTC at ReportFraud.ftc.gov and forward spam messages to 7726 to help your wireless provider spot and block similar messages.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Text scams grow to steal hundreds of millions of dollars 

The threat actors lace pre-downloaded applications with malware to steal cryptocurrency by covertly swapping users' wallet addresses with their own.

Android Phones Pre-Downloaded With Malware Target User Crypto Wallets

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited...

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

Both vulnerabilities allowed an attacker to bypass the memory protections that would normally stop someone from running malicious code. Reportedly, attackers used them with another unpatched vulnerability or malicious app, and the combination could be used to give them complete control over targeted iPhones.

The update is available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 13.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

To check if you’re using the latest software version, go to **Settings** > **General** > **Software Update**. You want to be on iOS 18.4.1 or iPadOS 18.4.1, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

Update available

**Technical details**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-day CVEs patched in these updates are:

*   CVE-2025-31200: Processing an audio stream in a maliciously crafted media file may result in code execution due to a memory corruption issue which was addressed with improved bounds checking.
*   CVE-2025-31201: An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. This issue was addressed by removing the vulnerable code.

Given that both vulnerabilities were flagged as used in extremely sophisticated attacks and are patched simultaneously, it stands to reason that they were chained for a successful exploitation.

This deserves a bit of an explanation. Apple’s Pointer Authentication (PA) is a hardware security feature designed to detect and prevent tampering with critical pointers (like function addresses or return addresses) in memory. Computers use memory to store and provide information that software programs use as they run.

When creating a pointer (like a return address), the system adds a cryptographic signature (PAC) using secret keys. Before using the pointer, the system checks if the signature still matches.

A memory corruption issue can give an attacker the option to make a change in the device’s memory, but it’s often limited to a very small portion of the memory.

What could have happened here is that the attacker was able to use that ample space to create a pointer that was able to bypass the Pointer Authentication and use this ability to point from a legitimate application to their malicious code.

In the past researchers have already found bypass scenarios for attackers that already have full memory control.

What exactly happened is unknown, because, as a protection against attackers reverse engineering updates to find the vulnerabilities, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.

Which is also why it’s important to update before other criminals are using the same exploits in less targeted and more widespread attacks. To help with this, the Malwarebytes iOS app will guide you through “how to fix” and assist with similar cases in the future.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#android