As scammers develop new ways of exploiting unsuspecting users, Malwarebytes is introducing Scam Guard to combat this new wave of threats.

Mobile scams are becoming increasingly sophisticated, leaving people vulnerable to cybercriminals.  

We recently reported on the ever-increasing number of scams that are created by AI-supported tools, with attackers crafting highly convincing phishing emails that target both individuals and businesses, resulting in devastating financial losses, reputational damage, and compromised personal data.  

Elaborate sextortion scams manipulate victims by using shame as a tactic to coerce them into taking action, sometimes draining their life savings.  

And the list goes on. Scammers are always finding new ways to trick their victims into giving them their hard-earned money or sensitive information. 

These tactics include urging individuals to change their address information on a non-existent delivery, promoting job opportunities that just seem too good to be true, or having a long-lost family member reach out on WhatsApp to invite you to share their newfound fortune with you.  

As scammers develop new ways of exploiting unsuspecting users, Malwarebytes is introducing Scam Guard to combat this new wave of threats.  

Scam Guard simplifies scam prevention by providing real-time feedback via an easy-to-use AI-powered chat. Just submit a screenshot, paste suspicious content, or share texts and numbers, and we’ll give you immediate personalized guidance and safety tips. 

Scam Guard is unique in that it’s backed by Malwarebytes extensive threat research knowledge base, making it both effective and efficient.  

Whether users come across a suspicious message on social media, a phishing attempt in their email, or a questionable text message, Scam Guard provides immediate, expert advice to keep them secure. 

**Key features of Scam Guard**

*   **AI-powered chat companion**: An intuitive, mobile-first advisor available 24/7 that provides guidance to users on suspicious content or activities. 

*   **Comprehensive scam detection**: Scam Guard is trained to recognize various scams, including romance, phishing, financial fraud, text, robocall, and shipping fraud, helping you stay ahead of cybercriminals at all times.  

*   **Constantly evolving:** Scam Guard learns from users who submit new or unknown scams, which in turn helps protect the broader community.  

*   **24/7 support**: Scam Guard is available around the clock, ensuring that users receive timely advice and assistance, no matter where they are or what time it is. 

*   **Holistic mobile security**: Embedded within the Malwarebytes Mobile Security app, Scam Guard works alongside our all-in-one advanced protection for iOS and Android. 

Reporting suspicious content has never been easier—simply tap to submit right in the app.  

Scam Guard is available for both free and paid users of Malwarebytes Mobile Security (iOS and Android), without having to install an additional app.  

Try it out for yourself: Download Malwarebytes Mobile Security for iOS or Android.

 Scammers are constantly changing the game, but so are we. Introducing Malwarebytes Scam Guard 

This spring has seen another spate of stories about juice jacking, including a new, more sophisticated form of attack. But how much of a threat is it, really?

Remember juice jacking? It’s a term that crops up every couple of years to worry travelers. This spring has seen another spate of stories, including a new, more sophisticated form of attack. But how much of a threat is it, really?

Juice jacking is where an attacker uses a malicious public USB charger to install malware on, or steal information from, your phone. In theory, the victim plugs their phone into a USB charging port like those found in airports, restaurants or public transportation to top up their battery. The attacker has programmed the charger to start a data connection with the phone, allowing them to perhaps view files or control apps.

Both Apple and Android operating system developer Google coded rudimentary protections against juice jacking into their operating systems years ago. They updated their software so that users would have to approve any request to control the phone via a USB port.

However, as Ars Technica reported last week, researchers have found a way past these mechanisms in a new variation on the theme called ChoiceJacking.

Ars offers a detailed technical analysis of the exploit, invented by researchers at Austria’s Graz University of Technology. In short, though, it gives itself permission to control the phone by spoofing the user’s button-pressing for them.

Government agencies continue to warn about the risks of juice jacking. The TSA was the most recent, posting a warning about the issue on Facebook back in March:

> “Hackers can install malware at USB ports (we’ve been told that’s called ‘juice/port jacking’). So, when you’re at an airport do not plug your phone directly into a USB port. Bring your TSA-compliant power brick or battery pack and plug in there.”

The TSA is well-intentioned, but behind the times. The FBI’s Denver office tweeted about this threat back in 2023, and the LA County District Attorney’s office posted about it in 2019.

Researchers have highlighted the threat since at least 2011, when the Defcon conference installed public charging stations that would flash a warning message on peoples’ phones. Since then, others have presented on the possible risks, and enterprising tinkerers have released malicious cables that take control of devices when plugged into them.

**Have any juicers actually been jacked?**

The FCC, which has had an advice page about this issue since 2019, said two years ago that it hadn’t found any real-world attacks, and Malwarebytes hasn’t found any since.

However, the lack of publicly documented attacks doesn’t mean that juice jacking isn’t a risk. It’s theoretically feasible. So how can you prevent against it?

Both Apple and Google have updated their operating systems to require more robust authentication than simply pressing a button when a connected USB device asks to take over your phone. However, not all iPhone users will necessarily update their devices. Android-based smartphone vendors get to implement their own versions of the operating system on their own schedule, and many take a long time to roll out new protections if they do so at all.

One way to be sure that your phone won’t get hijacked by a malicious charging station is to use a USB cable that has the data communication pins disconnected, meaning that a malicious charging port can’t talk to your phone. However, the Ars article warns that this might also interfere with the charging process on some phones.

One alternative is to power down your phone before plugging it in. Or take your own portable charging battery with you and skip the ports altogether.

**Oh, and don’t use public Wi-Fi, says TSA**

On another note, the TSA Facebook post also offered another piece of advice: “Don’t use free public WiFi, especially if you’re planning to make any online purchases,” it warned. “Do not ever enter any sensitive info while using unsecure WiFi \[sic\].”

This advice has merit. Attackers can snoop on public Wi-Fi connections, although the advancement of HTTPS on websites mean this is less of a risk nowadays for everyday browsing. However, if you’re doing anything of a sensitive nature, such as online banking, you can use a VPN to encrypt your traffic.

A simple alternative is to simply use cellular data instead, tethering your phone if you’re using a tablet or PC.

Which of these anti-juice-hacking and Wi-Fi snooping protections should you choose? As with all cybersecurity decisions, this is a question of how much risk you’re prepared to tolerate. Personally, I err on the side of caution. A little inconvenience now could save you significant trouble later.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Juice jacking warnings are back, with a new twist 

A growing number of malicious campaigns have leveraged a recently discovered Android banking trojan called Crocodilus to target users in Europe and South America.
The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis and detection, and includes the ability to create new contacts in the victim's contacts list.
"Recent

Android Trojan Crocodilus Now Active in 8 Countries, Targeting Banks and Crypto Wallets

Three security vulnerabilities have been disclosed in preloaded Android applications on smartphones from Ulefone and Krüger&Matz that could enable any app installed on the device to perform a factory reset and encrypt an application.
A brief description of the three flaws is as follows -

CVE-2024-13915 (CVSS score: 6.9) - A pre-installed "com.pri.factorytest" application on Ulefone and

Preinstalled Apps on Ulefone, Krüger&Matz Phones Let Any App Reset Device, Steal PIN

Qualcomm has shipped security updates to address three zero-day vulnerabilities that it said have been exploited in limited, targeted attacks in the wild.
The flaws in question, which were responsibly disclosed to the company by the Google Android Security team, are listed below -

CVE-2025-21479 and CVE-2025-21480 (CVSS score: 8.6) - Two incorrect authorization vulnerabilities in the Graphics

Qualcomm Fixes 3 Zero-Days Used in Targeted Android Attacks via Adreno GPU

Cisco Talos has uncovered new threats, including ransomware like CyberLock and Lucky_Gh0$t, and a destructive malware called Numero, all disguised as legitimate AI tool installers to target victims.

Thursday, May 29, 2025 06:00

*   Cisco Talos has discovered new threats, including the ransomware CyberLock, Lucky\_Gh0$t, and a newly-discovered malware we call “Numero,” all of which masquerade as legitimate AI tool installers. 
*   CyberLock ransomware, developed using PowerShell, primarily focuses on encrypting specific files on the victim's system. The threat actor deceitfully claims in the ransom note that the payments will be allocated for humanitarian aid in various regions, including Palestine, Ukraine, Africa and Asia. 
*   Lucky\_Gh0$t ransomware is yet another variant of the Yashma ransomware, which is the sixth iteration of the Chaos ransomware series, featuring only minor modifications to the ransomware binary. 
*   The newly-identified destructive malware, Numero, affects victims by manipulating the graphical user interface (GUI) components of their Windows OSs, rendering systems completely unusable. 

AI has increasingly proliferated across various business verticals, leading to a transformation of industries through automation, data-driven decision-making and enhanced customer engagements. However, as AI continues to propel multiple industry sectors forward, malicious actors are exploiting its popularity by distributing a range of malware disguised as AI solutions’ installers and tools.  

Threat actors are employing a variety of techniques and channels to distribute these fraudulent installers, including SEO-poisoning tactics to manipulate search engine rankings and cause their malicious websites or download links to appear at the top of search engine results, as well as platforms such as Telegram or social media messengers. 

As a result, unsuspecting businesses in search of AI solutions may be deceived into downloading counterfeit tools in which malware is embedded. This practice poses a significant risk, as it not only compromises sensitive business data and financial assets but also undermines trust in legitimate AI market solutions. Therefore, organizations and users must exercise extreme caution, meticulously verify sources, and rely exclusively on reputable vendors to avoid falling prey to these threats. 

Talos has recently uncovered multiple threats masquerading as AI solutions being circulated in the wild, including the CyberLock and Lucky\_Gh0$t ransomware families, along with a newly discovered destructive malware, dubbed “Numero.” The legitimate versions of these AI tools are particularly popular within the B2B sales domain and the technology and marketing sectors, indicating that individuals and organizations in these industries are particularly at risk of being targeted by these malicious threats. 

**CyberLock ransomware **

Talos observed a threat actor creating a lookalike fake AI solution website with the domain ‘novaleadsai\[.\]com’, likely masquerading as the original website domain ‘novaleads.app’, a lead monetization platform designed to help businesses maximize the value of their leads through various services and performance-based models. 

Figure 1. Fake website advertising the AI tool. 

On the fake website, the actor persuades users to download the product with an offer of free access to the tool for the first 12 months, followed with a monthly subscription of $95. The threat actor also used an SEO manipulation technique that made their fake website appear in the top search results for online search engines.   

When a user downloads the fake AI product as a ZIP archive, it contains a .NET executable with the file name ‘NovaLeadsAI.exe’. The executable was compiled on Feb. 2, 2025, which is on the same day the fake domain ‘novaleadsai\[.\]com’ was created.  

The ‘NovaLeadsAI.exe’ file is the loader that has the CyberLock ransomware PowerShell script embedded as the resource file. When the victim runs the loader executable, it deploys the ransomware. 

Figure 2. Snippet of the CyberLock ransomware loader. 

**CyberLock ransom note **

The CyberLock ransomware appeared to be operating as early as Feb. 2025. The ransom note claims that the threat actor has obtained full access to sensitive business documents, personal files and confidential databases, demanding a hefty ransom in exchange for decryption keys. Victims are instructed to communicate with the threat actor by emailing ‘cyberspectreislocked@onionmail\[.\]org’. 

The CyberLock threat actor demands that the USD $50,000 ransom be paid exclusively in Monero (XMR) cryptocurrency and employs psychological tactics by falsely claiming that the ransom payments will be used for humanitarian aid in regions like Palestine, Ukraine, Africa and Asia. The actor splits the payment into two separate wallets, complicating defenders' tracking efforts. 

The ransom note is structured to intimidate and manipulate victims by threatening to expose stolen data if payment is not made within three days. However, Talos did not see any evidence of data exfiltration functionality within the ransomware code. 

Figure 3. CyberLock ransom note.

**CyberLock, the PowerShell ransomware **

CyberLock ransomware is written in PowerShell, embedded with the CSharp code and delivered to the victims as an embedded resource of the .NET loader. 

When CyberLock is executed, it initially uses the functions GetConsoleWindow from kernel32.dll and ShowWindow from user32.dll to hide the PowerShell window. Then it generates a secret by decrypting the encrypted public key and uses it to derive the AES key and IV during the encryption process. 

Figure 4. Snippet of CyberLock ransomware. 

CyberLock has the capability to elevate privileges and re-execute itself with administrative privileges if it is not already running in an elevated context.   

Figure 5. Snippet of CyberLock ransomware. 

CyberLocker enumerates folders and files of the logical partitions with the labels ‘C:\\’, ‘D:\\’ and ‘E:\\’. It encrypts the targeted files using AES and appends the file extension ‘.cyberlock’ to the encrypted files.  

Figure 6. Snippet of CyberLock ransomware. 

The targeted file extensions and the categories are shown below: 

Category

File Extensions

Text Documents

.txt, .doc, .docx, .odt, .rtf, .md, .rst, .tex, .sty

Spreadsheets

.xls, .xlsx, .ods, .csv, .tsv

Presentations

.ppt, .pptx, .odp, .potx, .ppsx

PDF & eBooks

.pdf, .pdfx, .epub, .mobi, .azw, .azw3, .chm, .hlp

Images

.jpg, .jpeg, .png, .gif, .bmp, .tiff, .raw, .svg, .jfif, .ico, .webp

Audio

.mp3, .wav, .ogg, .aac, .flac, .m4a, .m4b, .caf, .mp3g

Video

.avi, .mp4, .mov, .mkv, .wmv, .webm, .3gp, .flv, .m4v, .vob, .mts, .m2ts, .ts, .mxf, .divx, .mpeg, .mpg, .ram, .rm

Archives & Disk Images

.zip, .rar, .7z, .tar, .gz, .xz, .tar.gz, .tar.bz2, .iso, .iso9660, .img, .dmg, .cdr, .zipx, .cab, .zpaq, .seam, .rar5

Executables & Scripts

.exe, .bat, .cmd, .sh, .ps1, .vbs, .js, .appx, .apk, .ipa, .deb, .rpm, .whl

Code & Programming

.html, .css, .scss, .xml, .json, .yaml, .cfg, .sql, .pl, .rb, .py, .lua, .h, .c, .cpp, .m, .swift, .java, .asm, .psm1

Database Files

.sql, .mdb, .accdb, .db, .sqlite, .sqlitedb, .db3, .sqlite3

System & Config

.log, .bak, .tmp, .swp, .ini, .plist, .xmlrpc, .dsk, .xcv

Fonts

.ttf, .otf, .woff, .woff2, .eot, .pfb

Design & Graphics

.ai, .psd, .indd, .eps, .fla, .swf

Backup & Virtual Machine

.vhd, .vmdk, .qcow2, .gho, .vpb

GIS & Maps

.gpx, .kml, .shp

Other Files

.torrent, .bup, .ifo, .bin, .dll, .msi, .sys, .qif, .pages, .key, .numbers, .rdata, .seed, .3dxml, .kdbx

After encrypting the targeted files, CyberLock creates a ransom note on the victim machine desktop with the file name ‘ReadMeNow.txt’. Ransom note contents are written into it from the embedded strings in the ransomware PowerShell script. 

Talos observed that the ransomware actor sets a wallpaper to the victim machine’s desktop after dropping the ransom note. The threat actor downloads a header image from a cybersecurity organization’s blog post to the victim machine user profile applications temporary folder. They configure the path of the downloaded image to the registry key “Wallpaper” and enable the wallpaper through PowerShell commands. Talos not fully certain of the actor’s motive for setting the victim machine’s desktop wallpaper to a security research blog post header image. 

Figure 7. Snippet of CyberLock ransomware. 

Figure 8. Sample blog post header wallpaper. 

Finally, CyberLock uses the living-off-the-land binary (LoLBin) ‘cipher.exe’ with the ‘/w’ option to erase free space on the victim's hard drive partitions, hindering forensic recovery of deleted files. 

Figure 9. Command execution to wipe the hard drive free space. 

‘Cipher.exe’ is a built-in Windows command-line tool for managing file and folder encryption. One of its features allows users to prevent recovery of deleted files by overwriting free space with the ‘/w’ option. This was designed by Microsoft for legitimate purposes, such as securely wiping disks before reallocating them or complying with data protection laws to ensure sensitive data is unrecoverable by unauthorized parties.  

Threat actors often misuse this feature to eliminate their malicious footprints or permanently delete files from victim machines. This technique was previously utilized by a Russian APT in their attacks, as noted by Volexity researchers. However, Talos has not observed any indication that this activity is related to the activity described in prior reporting. 

**Lucky\_Gh0$t ransomware as fake ChatGPT installer  **

Talos discovered a threat actor distributing Lucky\_Gh0$t ransomware in the wild, archived in a self-extracting archive (SFX) ZIP installer with the file name ‘ChatGPT 4.0 full version - Premium.exe’. 

The malicious SFX installer included a folder that contained the Lucky\_Gh0$t ransomware executable with the filename ‘dwn.exe’, which imitates the legitimate Microsoft executable ‘dwm.exe’. The folder also contained legitimate Microsoft open-source AI tools that are available on their GitHub repository for developers and data scientists working with AI, particularly within the Azure ecosystem. The threat actor’s intention in including the legitimate tools in the SFX archive is likely to evade the anti-malware file scanners detections by masquerading as a legitimate package.  

The SFX script executes the ransomware when a victim runs the malicious SFX installer file. 

Figure 10. Malicious SFX executable contents. 

Lucky\_Gh0$t ransomware is the Yashma ransomware variant with most features unchanged, including the evasion techniques, deleting the volume shadow copies and backups, and AES-256 and RSA-2048 encryption techniques. Talos observed a few minor modifications in the Lucky\_Gh0$t binary with targeted file size limits that are to be considered by the ransomware during encryption. 

Lucky\_Gh0$t targets files on the victim machine that are approximately less than 1.2GB in size and encrypts the files with the RSA-encrypted AES key, appending a 4-digit random alphanumeric characters as the file extension. The targeted files category for encryption include: 

*   Text, code and config files 
*   Microsoft Office and Adobe files 
*   Media formats and images 
*   Archives and installers 
*   Backup and database files 
*   Android package kit, Java Server Pages and Active server pages 
*   Certificate files 
*   Visual Studio Solutions and PostScripts 

Figure 11. Lucky\_Gh0$t encryption function for files less than 1.2GB. 

For the targeted files with a size larger than 1.2GB, the ransomware creates a new file the same size of the original file and writes a single character “?” as the file content. It appends a 4-digit random alphanumeric character file extension to the new file and deletes the original file, exhibiting destructive behavior. 

Figure 12. Lucky\_Gh0$t encryption function for files larger than 1.2GB. 

Lucky\_Gh0$t ransomware provides a personal ID to the victims in their ransom note. For further communication regarding ransom payment and decryption, it instructs the victims to contact the threat actor using a secure messenger platform at ‘getsession\[.\]org’ with a unique session ID.

Figure 13. Lucky\_Gh0$t ransom note.

Talos recently discovered a new destructive malware in the wild that we call “Numero,” designed to imitate the AI video creation tool installer, InVideo AI. InVideo AI is an online platform widely used for marketing videos, social media content, explainer videos and presentations. The threat actor impersonates the product and the organization names in the malicious file’s metadata. 

Figure 14. A fake installer execution flow running the payload Numero. 

The fake installer is a dropper containing a malicious Windows batch file, VB script and the Numero executable with the file name ‘wintitle.exe’. When the victim runs the fake installer, it drops the malicious components in a folder at the local user profile’s application temporary folder. Then it executes the dropped Windows batch file through Windows shell in an infinite loop. It first runs the Numero malware and then halts the execution for 60 seconds by executing the VB script through cscript.  

After resuming the execution, the batch file terminates the Numero malware process and restarts its execution. By implementing the infinite loop in the batch file, the Numero malware is continuously run on the victim machine. 

Figure 15. Malicious Windows bat loader. 

Numero's behavior is consistent with window manipulator malware. Numero is a 32-bit windows executable written in C++ and was compiled on Jan. 24, 2025.  

Numero evades analysis by checking the process handles of various malware analysis tools and debuggers including IDA, x64 debugger, x32debugger, ollydbg, scylla, windbg, reshacker, ImportREC, Immunity debugger, Zeta debugger and Rock debugger. 

Figure 16. Snippet of the Numero function and the malicious thread. 

Numero malware creates and executes the thread in an infinite loop. The thread code interacts with the Windows GUI and manipulates the victim’s desktop window using the Windows APIs GetDesktopWindow, EnumChildWindows and SendMessageW. It monitors the victim machine desktop window continuously and hooks to the child window created in the victim desktop. Numero overwrites the window title, buttons and contents with the numeric string ‘1234567890’, corrupting the victim machine to become unusable.  

Figure 17. Corrupted Windows Run terminal. 

**Coverage  **

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

Snort SIDs for the threats are: 

*   Snort 2: 64901, 64902, 64899, 64900, 64897, 64898, 64896 
*   Snort 3: 301207, 301206, 301205 

ClamAV detections are also available for this threat:   

*   Ps1.Ransomware.CyberLock-10045054-0 
*   Win.Dropper.CyberLock-10045058-0 
*   Win.Dropper.LuckyGhost-10045078-0 
*   Win.Ransomware.LuckyGhost-10045080-0 
*   Win.Loader.Numero-10045084-0 
*   Win.Dropper.Numero-10045088-0 
*   Win.Malware.Numero-10045090-0 
*   Win.Malware.Numero-10045093-0 

**Indicators of Compromise **

IOCs for this threat can be found in our GitHub repository here.

Cybercriminals camouflaging threats as AI tool installers

A renewed warning about toll fee scams has gone out. This time it comes from the DMVs of several US states.

Over a year ago the FBI warned about what was then a new form of smishing (phishing via SMS) scam: text messages that demanded payment for toll fees.

The FTC sent out a similar warning in January, 2025. Then, in April another wave of toll fee scams began doing the rounds.

Now the Departments of Motor Vehicles (DMVs) of New York, Florida, and California are warning residents not to fall for the text message scams that try to trick users into clicking a link by telling them they owe a “small amount” in toll fees.

The amount of smishing messages is a major problem. Reportedly, in April of 2025 alone, Americans received 19.2 billion automated spam texts which amounts to roughly 63 spam texts for every single person in the country.

And it seems to be paying off for the cybercriminals involved in fraud. The FTC’s 2024 Annual Data Book shows that 16% of the reported fraud attempts were text-based, with a criminal revenue of some $470 Million.

**How to avoid falling for toll fee scams**

*   Check the phone number that the text message comes from. Some of the scams we saw were easy to dismiss because they came from telephone numbers outside the US.
*   Look for the actual site that handles the alleged toll fees and compare the domain name. Sometimes there is only a small difference, so inspect it carefully.
*   If you decided to pay, make sure you receive confirmation of payment. Official toll agencies will send confirmation after collecting payments. If you don’t receive that, call the toll service to check.
*   Try never to interact with the scammer in any way. Every reaction provides them with information, even if it’s only that the phone number is in use.
*   If you think the toll fee is feasible because you have indeed travelled in that area, check on the official toll service’s website or call their customer service number.
*   Malwarebytes Mobile Security for Android includes a “Text Protection” feature that alerts users about potentially fraudulent or phishing text messages, helping to prevent scams and other online threats. This feature scans incoming text messages for suspicious content, such as malicious links or suspicious phrases, and warns the user to be cautious. 
*   On Malwarebytes Mobile Security for iOS, our text filtering feature scans incoming messages for suspicious content—such as malicious links—and automatically moves them to your Junk folder before you have a chance to interact with them by mistake.
*   The FBI asks that if you receive a suspicious message, contact the FBI Internet Crime Complaint Center at ic3.gov. Be sure to include the phone number from where the text originated, and the website listed within the text.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 New warning issued over toll fee scams 

A stalkerware company that recently leaked millions of users' personal information online has taken all of its assets offline without any explanation.

A stalkerware company that recently leaked millions of users’ personal information online has taken all of its assets offline without any explanation. Now Malwarebytes has learned that the company has taken down other apps too.

Back in February, news emerged of a stalkerware app compromise. Reporters at Techcrunch revealed a vulnerability in three such apps: Spyzie, Cocospy, and Spyic. The flaw exposed data from the victim’s devices, rendering their messages, photos, and location data visible to whomever wanted them. It also gave up approximately 3.2 million email addresses entered by the customers that bought and installed these apps on their targets’ devices.

The bug was so easy to exploit that Techcrunch and the researcher involved wouldn’t divulge it, to protect the compromised details.

Now, the apps have gone dark. Techcrunch revealed that the software has stopped working, and the websites advertising it have disappeared. The spyware’s Amazon Web Services storage has also been deleted. The publication speculated that the apps, which were branded separately but looked nearly identical, were possibly shut down to avoid legal repercussions over the data leak.

Stalkerware apps are designed to hide themselves once installed on a person’s phone. They collect data including the location of the device, messages sent by the user, and their contacts.

Spyzie’s web site, now no longer available, marketed the software as a tool to keep an eye on your kids. It advertised itself as “100% hidden and invisible so you never get caught”. It also offered to collect their browser history, WhatsApp messages (including deleted ones), Facebook messages, and call logs. Spyzie claimed to have over a million users in more than 190 countries.

These aren’t the only three apps that the same organization took down. According to archived records of the Spyzie site, it was operated by FamiSoft Limited. That company also produced another app targeting kids called Teensafe (its website is also now down). Other apps now taken down that the company claimed to have operated include Spyier, Neatspy, Fonemonitor, Spyine, and Minspy.

Stalkerware is typically installed by those with direct access to a user’s phone or computer, and typically doesn’t need you to root or jailbreak the device. Spyzie targeted both Android and iPhone platforms. While frequently marketed as a way to keep children safe, theses are also frequently used by abusive partners or ex-partners, as explained by the Federal Trade Commission. The Coalition against Stalkerware, of which Malwabytes is a founding member, offers advice on what to do if you’re being targeted by a stalker.

There have been several instances over the years of stalkerware apps leaking data. It’s especially pernicious because in many cases it isn’t just the email addresses of the stalkerware’s customers that is compromised; it’s the personal details of the people whose phones are being spied upon.

Those people may often not be aware that they’re being surveilled, or might have been forced to install the software against their wishes. They are victimized twice: once when an individual invades their privacy, and twice when crummy infrastructure exposes their information more widely. If a customer really is using such software as a way of protecting their children, they might want to reconsider their choices.

Are you a victim of domestic abuse, or are you worried that someone else is? If you’re in the US, you can contact the National Domestic Abuse Hotline. If you’re in the UK, the government has a useful resource page to help victims and the charity Refuge operates a hotline.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Stalkerware apps go dark after data breach 

An arson attack in Colorado had detectives stumped. The way they solved the case could put everyone at risk.

3 Teens Almost Got Away With Murder. Then Police Found Their Google Searches

Plus: 12 more people are indicted over a $263 million crypto heist, and a former FBI director is accused of threatening Donald Trump thanks to an Instagram post of seashells.

As analysts and governments around the world continue to call attention to North Korean digital fraud, researchers this week published 1,000 email addresses they claim are linked to North Korean IT worker scams perpetrated against Western companies, along with photos of people allegedly involved in the fraud. Xinbi Guarantee, a marketplace and platform used by Chinese-speaking crypto scammers for money laundering grew into an $8.4 billion hub before a crackdown by Telegram this week. And following a WIRED inquiry, messaging app Telegram banned thousands of accounts used for money laundering in cryptocurrency scams. The takedowns included prominent names like Haowang Guarantee, a black market known for enabling $27 billion in transactions.

The acting director of the Consumer Financial Protection Bureau, Russell Vought, quietly eliminated a plan to more tightly regulate the sale of Americans’ sensitive personal data. CFPB had originally launched the initiative in response to increasingly far reaching and reckless behavior from data brokers. And with the rise of widely available generative AI services—and corresponding fraud—people are increasingly looking for ways to verify and vet their digital interaction online.

Meanwhile, ahead of Google’s Android 16 launch next week, the company announced expanded capabilities for its Android Scam Detection tool that uses local AI analysis to flag potential scam texts in Google Messages. The company also launched a new, extra-secure mode for Android 16, Advanced Protection, that will allow vulnerable or highly targeted users to lock their devices down and utilize advanced scanning features for catching potentially suspicious activity.

But there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Coinbase Discloses Costly Data Breach Impacting Less Than 1 Percent of Monthly Users**

The cryptocurrency exchange Coinbase said this week that it suffered a data breach in which attackers stole data including customers’ names, physical and email addresses, phone numbers, government IDs like driver’s licenses and passports, last four digits of Social Security numbers, and other financial information. The company said that “criminals targeted our customer support agents overseas. They used cash offers to convince a small group of insiders to copy data in our customer support tools for less than 1 percent of Coinbase monthly transacting users.” The company said the attackers’ goal was to collect customer data to then contact those Coinbase users, impersonate Coinbase, and trick them into giving away their cryptocurrency. The attackers also contacted the company and attempted to extort the company for $20 million. Coinbase currently has about 9.7 million total users. The company said in an Securities and Exchange Commission breach disclosure notification that it expects that it will cost between $180 million and $400 million to remediate the breach and reimburse customers for stolen funds.

**12 More Indicted Over Crypto Heist Worth $263 Million**

A four-count superseding indictment charged 12 additional people this week in an alleged criminal spree including more than $263 million in cryptocurrency theft, money laundering, and even physical break-ins. Several suspects were arrested this week in California in connection with the case. The indictment accuses the defendants of using stolen cryptocurrency for things like $500,000 nights out at clubs, hundreds of thousands of dollars spent on luxury handbags, watches, and clothes, private jet rentals, and “a fleet of at least 28 exotic cars ranging in value from $100,000 to $3.8 million.” The superseding indictment also alleges that some defendants used shell companies to register their “exotic cars” and “shipped bulk cash through US mail to members of the enterprise hidden in squishmallow stuffed animals.”

**James Comey Investigated for Instagram Post of Seashells**

On Thursday, former FBI director James Comey posted and then deleted an Instagram photo of seashells arranged to spell out the numbers “8647” captioned: “Cool shell formation on my beach walk.” Within hours, Republicans fixated on the post, claiming it was a call to violence against Donald Trump, the United States’ 47th president. Now, the Department of Homeland Security and the Secret Service are investigating.

If you’ve ever worked in a restaurant, you’ve probably heard someone in the kitchen shout that an item is “86’d”—a colloquialism meaning the kitchen is out of a particular menu item, like a cheeseburger. While most people don’t interpret that as a threat of violence against the cheeseburger, that’s apparently not how the president and his allies understood Comey’s post.

On Thursday, Department of Homeland Security secretary Kristi Noem wrote on X that both the DHS and Secret Service were investigating. “Disgraced former FBI Director James Comey just called for the assassination of @POTUS Trump,” she wrote. Later that night on Fox News, Director of National Intelligence Tulsi Gabbard accused Comey of “issuing a hit” on Trump and argued he should be “put behind bars.”

"That meant assassination, and it says it loud and clear," Trump told Fox News in an interview referring to the post, on Friday. Trump survived two assassination attempts last year.

Comey addressed the backlash in a follow-up post on Instagram, writing: “I didn't realize some folks associate those numbers with violence. It never occurred to me, but I oppose violence of any kind, so I took the post down.”

Comey served as FBI director from 2013 until he was fired by President Trump in 2017 during an ongoing investigation into Russian interference in the 2016 election.

Tag

#android