A quiet tweak in a popular open-source tool opened the door to a supply chain breach—what started as a targeted attack quickly spiraled, exposing secrets across countless projects.
That wasn’t the only stealth move. A new all-in-one malware is silently stealing passwords, crypto, and control—while hiding in plain sight. And over 300 Android apps joined the chaos, running ad

⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More

Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams, and that the accused were relying on a custom Android app to relay tap-to-pay transactions from mobile devices located in China.

Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams, and that the accused were relying on a custom Android app to relay tap-to-pay transactions from mobile devices located in China.

Image: WLVT-8.

Authorities in Knoxville, Tennessee last week said they arrested 11 Chinese nationals accused of buying tens of thousands of dollars worth of gift cards at local retailers with mobile wallets created through online phishing scams. The Knox County Sheriff’s office said the arrests are considered the first in the nation for a new type of tap-to-pay fraud.

Responding to questions about what makes this scheme so remarkable, Knox County said that while it appears the fraudsters are simply buying gift cards, in fact they are using multiple transactions to purchase various gift cards and are plying their scam from state to state.

“These offenders have been traveling nationwide, using stolen credit card information to purchase gift cards and launder funds,” Knox County Chief Deputy **Bernie Lyon** wrote. “During Monday’s operation, we recovered gift cards valued at over $23,000, all bought with unsuspecting victims’ information.”

Asked for specifics about the mobile devices seized from the suspects, Lyon said “tap-to-pay fraud involves a group _utilizing Android phones to conduct Apple Pay transactions_ utilizing stolen or compromised credit/debit card information,” \[emphasis added\].

Lyon declined to offer additional specifics about the mechanics of the scam, citing an ongoing investigation.

**Ford Merrill** works in security research at SecAlliance, a CSIS Security Group company. Merrill said there aren’t many valid use cases for Android phones to transmit Apple Pay transactions. That is, he said, unless they are running a custom Android app that KrebsOnSecurity wrote about last month as a part of a deep dive into the sprawling operations of China-based phishing cartels that are breathing new life into the payment card fraud industry (a.k.a. “carding”).

How are these China-based phishing groups obtaining stolen payment card data and then loading it onto Google and Apple phones? It all starts with phishing.

If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the **U.S. Postal Service** to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.

These messages are being sent through sophisticated phishing kits sold by several cybercriminals based in mainland China. And they are not traditional SMS phishing or “**smishing**” messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the **Apple iMessage** service and through RCS, the functionally equivalent technology on **Google** phones.

People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution in response to a request by the fraudsters to link the phished card data to a mobile wallet.

If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control. These phones are then loaded with multiple stolen wallets (often between 5-10 per device) and sold in bulk to scammers on Telegram.

An image from the Telegram channel for a popular Chinese smishing kit vendor shows 10 mobile phones for sale, each loaded with 5-7 digital wallets from different financial institutions.

Merrill found that at least one of the Chinese phishing groups sells an Android app called “**Z-NFC**” that can relay a valid NFC transaction to anywhere in the world. The user simply waves their phone at a local payment terminal that accepts Apple or Google pay, and the app relays an NFC transaction over the Internet from a phone in China.

“I would be shocked if this wasn’t the NFC relay app,” Merrill said, concerning the arrested suspects in Tennessee.

Merrill said the Z-NFC software can work from anywhere in the world, and that one phishing gang offers the software for $500 a month.

“It can relay both NFC enabled tap-to-pay as well as any digital wallet,” Merrill said. “They even have 24-hour support.”

On March 16, the ABC affiliate in Sacramento (**ABC10**), Calif. aired a segment about two Chinese nationals who were arrested after using an app to run stolen credit cards at a local Target store. The news story quoted investigators saying the men were trying to buy gift cards using a mobile app that cycled through more than 80 stolen payment cards.

ABC10 reported that while most of those transactions were declined, the suspects still made off with $1,400 worth of gift cards. After their arrests, both men reportedly admitted that they were being paid $250 a day to conduct the fraudulent transactions.

Merrill said it’s not unusual for fraud groups to advertise this kind of work on social media networks, including TikTok.

A **CBS News** story on the Sacramento arrests said one of the suspects tried to use 42 separate bank cards, but that 32 were declined. Even so, the man still was reportedly able to spend $855 in the transactions.

Likewise, the suspect’s alleged accomplice tried 48 transactions on separate cards, finding success 11 times and spending $633, CBS reported.

“It’s interesting that so many of the cards were declined,” Merrill said. “One reason this might be is that banks are getting better at detecting this type of fraud. The other could be that the cards were already used and so they were already flagged for fraud even before these guys had a chance to use them. So there could be some element of just sending these guys out to stores to see if it works, and if not they’re on their own.”

Merrill’s investigation into the Telegram sales channels for these China-based phishing gangs shows their phishing sites are actively manned by fraudsters who sit in front of giant racks of Apple and Google phones that are used to send the spam and respond to replies in real time.

In other words, the phishing websites are powered by real human operators as long as new messages are being sent. Merrill said the criminals appear to send only a few dozen messages at a time, likely because completing the scam takes manual work by the human operators in China. After all, most one-time codes used for mobile wallet provisioning are generally only good for a few minutes before they expire.

For more on how these China-based mobile phishing groups operate, check out How Phished Data Turns Into Apple and Google Wallets.

The ashtray says: You’ve been phishing all night.

Arrests in Tap-to-Pay Scheme Powered by Phishing

Citizen Lab's investigation reveals sophisticated spyware attacks exploiting WhatsApp vulnerabilities, implicating Paragon Solutions. Learn how their research exposed these threats and the implications for digital privacy.

Cybersecurity researchers at the Citizen Lab at the University of Toronto have exposed the use of sophisticated spyware named **Graphite**, developed by the Israeli firm Paragon Solutions, to target high-profile individuals through WhatsApp.

Their **investigation** reveals that a previously unknown zero-day vulnerability in WhatsApp’s software allowed the spyware to be installed on devices through a zero-click exploit, allowing adversaries to gain unauthorized access to targeted phones.

For your information **zero-click exploits** mean that a device can be compromised without the user clicking a link, opening a file, or performing any other action.

Attack flow explained (Source: The Citizen Lab)

****Graphite Spyware Servers Worldwide****

Paragon Solutions, established in 2019 by figures including former Israeli Prime Minister Ehud Barak, claims to differentiate itself by adhering to ethical standards, unlike other spyware vendors like the **NSO Group**.

However, Citizen Lab’s researchers mapped out servers attributed to Graphite, and identified suspected deployments against journalists, human rights activists, and government critics across multiple countries. This includes:

*   Italy
*   Israel
*   Canada
*   Cyprus
*   Denmark
*   Australia
*   Singapore

WhatsApp’s parent company, Meta, has confirmed that approximately 90 users in 24 countries were targeted. However, since the researchers are based in Canada; a significant aspect of the investigation focused on a Canadian client, the Ontario Provincial Police (OPP). The analysis uncovered links between Paragon and the OPP, revealing a systematic use of spyware capabilities among Ontario-based police services.

The Italian connection proved to be a focal point of the investigation. Forensic analysis of Android devices belonging to individuals notified by WhatsApp, including journalist Francesco Cancellato and Mediterranea Saving Humans founders Luca Casarini and Dr. Giuseppe Caccia, revealed clear indications of Graphite spyware.

Researchers identified a unique Android forensic artifact, BIGPRETZEL, which confirmed the presence of Paragon’s spyware on these devices. The Italian government initially **denied** any involvement but later **acknowledged** having contracts with Paragon.

Furthermore, the investigation extended to an iPhone belonging to David Yambio, a close associate of the confirmed Paragon targets. Apple threat notifications received by Yambio, coupled with forensic analysis, revealed an attempted infection with novel spyware, subsequently patched by Apple in iOS 18.

In response to Citizen Lab’s findings, Meta, along with Apple and Google, collaborated to address the security vulnerability. WhatsApp implemented a server-side fix, eliminating the need for users to update their apps. Apple also released a patch for its iOS operating system to protect iPhone users.

WhatsApp subsequently **notified** the targeted users. “If we believe that your device has come under threat, we may notify you about it directly via a WhatsApp chat,” the notification read.

****WhatsApp Attacks Persist Despite NSO Group Lawsuit Win****

Hackread.com earlier **reported** that the infamous Israeli spyware company, NSO Group, was held legally liable for compromising hundreds of WhatsApp accounts. Court found NSO Group responsible for breaching WhatsApp’s terms of service and exploiting a vulnerability to install its powerful Pegasus spyware on at least 1,400 devices, targeting journalists, human rights activists, political dissidents, and government officials.

Interestingly, CyberScoop **reported** in November 2024 that NSO Group continued to develop new malware based on WhatsApp exploits, even after Meta filed a lawsuit against them and that when WhatsApp disabled the Eden exploit, NSO Group created the Erised vector to target users until May 2020.

Now, the Citizen Lab’s findings indicate that Israeli spyware firms are continually focusing on exploiting WhatsApp vulnerabilities for spyware deployment and aggressively using them against journalists and activists.  

These cases show the never-ending struggle between technology companies and malicious actors seeking to compromise user privacy and the critical need for continuous caution, stricter security measures, and legal accountability within the spyware industry to protect digital privacy and **human rights**.

Israeli Spyware Graphite Targeted WhatsApp with 0-Click Exploit

Experts are warning about the proliferating market for targeted spyware and espionage. Why should we be concerned?

Experts are again warning about the proliferating market for targeted spyware and espionage.

Before we dive into the world of targeted spyware, it’s worth looking at a few of the main players that are active in and against this industry.

**Paragon Solutions** is an Israeli company which sells high-end surveillance technology primarily to government clients, positioning its products as essential for combating crime and national security. The name of Paragon’s spyware is Graphite.

However, a lot of controversy arose when it faced allegations over the targeting of specific WhatsApp users, including journalists and civil society members, leading to a cease-and-desist notice from WhatsApp. Following these allegations, Paragon Solutions ended its contract with Italy after Italian citizens were found to have been targeted.

The **NSO group** creates the high-level spyware known as Pegasus, and has also been caught spying on WhatsApp users. The NSO Group justifies the use of Pegasus by saying it’s a beneficial tool for investigating and preventing terrorist attacks and maintaining the safety of the public.

On the opposite side of the fence, **CitizenLab** is an interdisciplinary laboratory based in Toronto, Canada. CitizenLab focuses on studying information controls that impact the openness and security of the internet and pose threats to human rights.

The work done by CitizenLab has led to greater understanding of the global digital surveillance landscape and its implications for human rights.

Often, we will see newly found vulnerabilities in iOS, WhatsApp and other software credited to CitizenLab or one of its associates. They often find these vulnerabilities by analyzing devices of individuals infected with high-level spyware.

In an interview with TheRecord, founder Ronald Deibert said CitizenLab routinely checks people’s phones for spyware. Over time, the researchers at CitizenLab have honed their forensic skills to the level that they can pinpoint the moment of infection for the device right down to the second.

In a recent article, CitizenLab explained in great detail how it cooperated with Meta on uncovering a WhatsApp zero-day vulnerability and how it traced it back to Paragon and the Italian government.

While most of us will, hopefully, never have to deal or worry about getting infected with high-level spyware, we may end up falling victim to the vulnerabilities that are used to infect targets.

Both Paragon and the NSO group have brought many zero-day vulnerabilities to light in browsers and other online applications by using them to compromise mobile devices.

Zero-day vulnerabilities are hard to come by and therefore expensive. But once they are used against victims, there is a good chance that at some point they will be discovered and patched.

But small-time criminals will pick them up and try to use them against people who haven’t had a chance or the time to update their device yet.

Which is why we, on this blog, and through Malwarebytes’ Trusted Advisor, always urge people to keep their devices up-to-date.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Targeted spyware and why it&#8217;s a concern to us 

A new Zimperium report reveals that rooted Android phones and jailbroken iOS devices face growing threats, with advanced toolkits making detection nearly impossible for cybersecurity researchers.

Despite tighter security from **Apple and Google**, hackers and cybercriminals continue to exploit rooted and jailbroken devices for their attacks. A new report from mobile security firm Zimperium shared with Hackread.com ahead of its publishing on Thursday, warns that compromised mobile phones remain a major risk for businesses, as these devices are far more likely to be targeted by malware and system takeovers.

****What Are Rooting and Jailbreaking?****

**Rooting** (on Android) and **jailbreaking** (on iOS) give users full control over their devices. This allows customization beyond what manufacturers allow and also removes key security protections. A rooted or jailbroken can’t enforce security protocols like Google’s Play Integrity or Apple’s security checks, but they can install apps from unverified sources, disable security features, and modify system files, making them prime targets for cybercriminals.

According to Zimperium’s **research**, rooted Android devices are:

*   **3.5 times more likely** to be attacked by malware

*   **250 times more likely** to suffer a system compromise

*   **3,000 times more likely** to experience a filesystem breach

Depending on who the targeted victim is, a compromised phone can be used as an entry point into corporate networks, allowing attackers to steal sensitive data, launch phishing campaigns, and bypass OTPs.

****A Well-Equipped Toolkit of Hackers****

The security industry has worked hard to detect and block rooted devices, but hackers have also been catching up. Tools like Magisk, APatch, KernelSU, Dopamine, and Checkra1n are in active development, with some even designed to hide their presence to avoid scans.

Magisk, for example, uses a “systemless” root method that avoids modifying core system files, making them harder to detect. APatch takes a different approach by modifying kernel memory on the fly, leaving no permanent traces. These updated toolkits make it increasingly difficult for cybersecurity researchers to spot compromised devices before damage is done.

Overview of current rooting tools (left) and the threat chain of a rooted device leading to a security breach (right) via Zimperium.

****Decline in Rooting and Jailbreaking but Still a Threat****

Rooting and jailbreaking were a big deal from 2011 to 2019. Now that the number of rooted and jailbroken devices has declined, they still pose a serious risk, especially in workplaces where employees use personal phones for work.

Worse, this threat is not limited to small businesses; even employees at cybersecurity giants like Kaspersky Labs have had **their iPhones infected** by malware. A single compromised phone can give attackers access to corporate data, email accounts, and internal applications.

**J. Stephen Kowski**, Field CTO at cybersecurity firm SlashNext, highlights the issue, “When employees root or jailbreak their devices, they’re removing crucial security guardrails. This creates significant attack vectors for threat actors. Businesses need advanced threat detection that can identify compromised devices and block attacks without disrupting workflows.”

Nevertheless, companies need to take mobile security seriously. Traditional security solutions often fail to detect modern rooting tools, so businesses should invest in advanced mobile threat detection that can identify cybersecurity threats in real time. Here’s how a company can start tackling this threat:

*   **Educating employees** on the risks of rooting and jailbreaking

*   **Using mobile security solutions** that detect hidden modifications

*   **Blocking rooted and jailbroken devices** from accessing corporate networks

*   **Implementing strict app policies** to prevent sideloading of unverified software.

Rooted Androids 3,000x More Likely to Be Breached, Even iPhones Not Safe

Google Play Store hit by 300+ fake Android apps, downloaded more than 60 million times pushing ad fraud and data theft. Learn how to spot and remove these threats.

Cybersecurity researchers at Bitdefender have discovered a malicious ad fraud campaign that has successfully deployed over 300 applications within the Google Play Store. These malicious apps have collectively been downloaded over 60 million times, exposing users to invasive ads and phishing attempts.

****Malicious Apps on the Google Play Store****

The Google Play Store, a popular platform for Android applications, has become a target for cybercriminals. Despite Google’s efforts to maintain a safe environment by removing malicious apps, attackers continuously adapt new methods to slip them one way or another.

According to Bitdefender’s report shared with Hackread.com ahead of publishing on Tuesday,  its researchers along with IAS Threat Lab traced this campaign back to at least 331 malicious apps, 15 of which were still available on Google Play at the time of their investigation. These apps pose as harmless utilities, such as QR scanners, expense trackers, health apps, and wallpaper apps.

2 malicious apps out of 300+ both with more than 1 million download each (Screenshot: Bitdefender)

Many of these apps initially appeared harmless but were later updated to include malicious codes. The fraud campaign, active since Q3 2024, shows no signs of slowing down, with new malicious apps still appearing on the store as recently as March 2025. The top 5 counties impacted by this campaign include:

1.  Brazil
2.  United States
3.  Mexico
4.  Turkiye
5.  South Africa

****Hidden Icons**, **Pushing Ads and Phishing:****

One of the techniques involve hiding the app icon from the user’s launcher. This method, restricted in newer Android versions, suggests that attackers have either found a flaw or are exploiting an API vulnerability. Some apps even change their names to mimic legitimate services like Google Voice, further complicating their removal.

These apps are designed to display full-screen ads without user consent, even when another app is in use. Worse, they can initiate phishing attacks, tricking users into exposing sensitive information such as login credentials and credit card details.

Researchers have also revealed technical strategies used by these malicious apps to evade detection on infected devices. One such technique is Content Provider Abuse, where apps declare a contact content provider that is automatically queried by the system after installation, enabling execution without user interaction.

Another tactic involves activity launching through methods like DisplayManager.createVirtualDisplay and other API calls, allowing the apps to start activities without requiring user permission. This technique is often used to display intrusive ads or launch phishing attempts.

To maintain persistence, these apps rely on services and dummy receivers, ensuring they remain active even on newer Android versions that block certain background activities.

****Protect Your Devices****

Usually, it’s best to download apps only from official stores like Google Play and Apple’s App Store. However, in this case, it’s advised to avoid downloading unnecessary apps from both official and third-party stores.

Make sure to keep your device updated so security patches are installed automatically. Run regular malware scans and watch for suspicious activity, such as an app’s icon suddenly disappearing, its name changing, your device slowing down, or excessive battery drain. If you notice anything unusual, delete the app immediately.

Scammers Sneak 300+ Ad Fraud Apps onto Google Play with 60M Downloads

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

With Android devices deeply embedded in business operations, it’s no surprise that cybercriminals are increasingly targeting them.

Businesses are now prime targets, facing threats like banking trojans, spyware, ransomware, and ad fraud, all designed to steal sensitive company data, compromise financial systems, and disrupt operations.

The problem is, that many security tools aren’t built to catch these threats fast enough, leaving people and businesses vulnerable.

To help with this, ANY.RUN has added Android OS support to its interactive sandbox. Cybersecurity professionals can now run and analyze APK files in real-time, spot threats more quickly, and get a much clearer picture of what a malicious app is doing.

**Key Benefits for Cybersecurity Professionals**

Android OS support enhances security teams’ efficiency in several ways:

*   **Simplifies malware analysis:** Users can analyze Android threats, with detailed insights into network traffic, behavioural indicators, and file execution logs. 

*   **Accelerates incident response:** The interactive sandbox allows for real-time detection and mitigation of Android malware, reducing the time needed for investigations.

*   **Reduces costs and complexity:** Security teams don’t need to juggle multiple tools. Sandboxes like ANY.RUN consolidate everything into one platform, improving efficiency and lowering operational costs.

*   **Enhances SOC workflows:** Tier 1 analysts can quickly escalate cases to Tier 2 with comprehensive forensic data on Android malware, streamlining threat intelligence and response processes.

****How Android OS Inside Virtual Machine Makes Malware Analysis Easier****

Analyzing Android malware inside ANY.RUN’s sandbox is as easy as investigating threats on Windows or Linux. With the latest update, security professionals can interact with and examine Android malware in real time, making the process faster and more intuitive.

Before launching an analysis, users can select Android OS from the standard operating system menu. Once selected, they upload the APK file and begin the investigation. 

_Android OS option inside ANY.RUN sandbox_

Since ANY.RUN’s sandbox is fully interactive, analysts can engage with the malicious file as if they were running it on a real Android device.

In a real analysis session, you can see firsthand how easy it is to interact with a suspicious APK file inside ANY.RUN’s interactive sandbox. 

Let’s take Coper, for example – a well-known Android banking trojan designed to steal financial data, intercept SMS messages, and execute commands remotely. This malware often disguises itself as legitimate banking or financial apps, tricking users into granting permissions that allow full control over the device.

View analysis session with Coper

The fastest way to determine if a file is malicious is by checking the top right corner of the screen, where ANY.RUN automatically highlights suspicious activity. 

In our case, it’s marked in red, immediately alerting us that the sample is dangerous. The sandbox identifies that we are dealing with Coper, confirming that this APK is actively performing harmful actions.

_Malicious activity detected by ANY.RUN sandbox_

To dive deeper, analysts can inspect all processes in the Process Tree section. This view provides a structured breakdown of how the malware operates, making it easier to understand what actions it takes after execution. 

This allows SOC teams, malware analysts, and threat hunters to quickly assess the impact of a threat without wasting time on manual investigation.

Tree of processes inside ANY.RUN sandbox

Another crucial feature is the ATT&CK Matrix section, where you can see exactly what techniques and tactics the malware is using. This makes it much easier to map threats to real-world attack patterns. 

If more details are needed, users can simply click on any specific tactic or technique to get a detailed explanation of how it works and what risks it poses.

_Mitre ATT&CK Matrix techniques and tactics_

Finally, for a more structured breakdown, ANY.RUN provides a text report that compiles all findings into a well-organized format. 

This is especially useful for sharing insights with the team, documenting the investigation, or conducting a deeper analysis later on. 

Instead of manually piecing together information from different sources, security teams get a clear, detailed report that speeds up decision-making and incident response.

_Detailed report of analysis generated by ANY.RUN sandbox_

****Analyze Android Threats Faster in a Secure Environment****

With ANY.RUN’s new Android OS sandbox, cybersecurity professionals can now analyze APK files faster and more efficiently in a secure, interactive environment. 

Whether you’re investigating malware for incident response, threat hunting, or research, this update makes the process quicker, more intuitive, and highly effective.

*   **Faster detection:** Get real-time alerts on suspicious activity without delays.

*   **Easier analysis:** Interact with malware just like you would on a real device and inspect its behaviour effortlessly.

*   **Better collaboration:** Share structured reports with your team, helping everyone stay informed and respond quickly to threats.

Analyze Mobile Threats Faster: ANY.RUN Introduces Android OS to Its Interactive Sandbox

Cybercriminals exploit AI hype with SEO poisoning, tricking users into downloading malware disguised as DeepSeek software, warns McAfee Labs in a new report.

The rise of Artificial Intelligence (AI) has undeniably transformed various sectors, with tools like ChatGPT, DeepSeek and Gemini becoming household names. However, this advancement has also created an environment where scammers can thrive.

McAfee Labs has uncovered a concerning trend where malicious actors are exploiting the popularity of AI tools, to distribute malware. This tactic, often referred to as SEO poisoning, exploits trending search terms to lure unsuspecting users to malicious websites.

The recent surge in interest surrounding DeepSeek-R1, a cost-effective AI model released under an open-source license an AI model and its subsequent chatbot launch, provided a solid platform for such exploitation.

This increasing interest, coupled with occasional website unavailability due to high traffic, created an ideal scenario for scammers. They take advantage of the “excitement, anxiety, and impatience” of users by distributing malware disguised as DeepSeek installers, McAfee researchers noted in the blog post shared with Hackread.com.

The attack starts with a user’s search, after which they are directed to websites offering DeepSeek applications for Windows, Mac, and Android. These websites, however, are malicious, leading to the download of malware, fake installers that bundle unwanted third-party software, and fraudulent captcha pages.

Attack Vector (Source: McAfee)

****Fake DeekSeek Installers, Websites and Apps****

McAfee Labs identified several malware campaigns associated with DeepSeek, including fake installers, impersonator websites, and fake mobile apps. These campaigns distributed various types of malware, such as keyloggers, crypto miners, and password stealers. One notable example involved fake installers that bundled legitimate software with unwanted third-party applications, generating revenue through pay-per-install programs.

Another tactic observed was the use of fake captcha pages, designed to trick users into downloading and executing malicious software. These pages employed “brand impersonation,” mimicking DeepSeek’s branding to appear legitimate. Upon registering for a fake partnership program, users were redirected to these captcha pages, which then prompted them to execute commands that installed malware capable of stealing sensitive information.

One of the fake DeepSeek AI websites, malicious winManager (left) and Audacity software (right) and Android app involved in the malware scam (Screenshot credit: McAfee)

****Monero Miner Behind Fake DeepSeek Installer****

A technical analysis of a crypto miner disguised as DeepSeek software revealed that after installation the malware communicated with a command-and-control server to download and execute a PowerShell script. This script employed process injection techniques to evade detection and establish persistence in the victim’s system. The payload, identified as XMRig mining software, then initiated a Monero mining operation, utilizing a portion of the system’s CPU resources.

Scammers chose Monero probably due to its emphasis on anonymity, making it difficult to trace the flow of funds. This highlights the attackers’ focus on covert operations and maximizing their gains while minimizing the risk of detection.

McAfee Labs emphasizes the importance of staying alert and informed, especially during hype cycles surrounding emerging technologies. Another step toward safety is scanning suspicious links and files on VirusTotal before opening or executing them.

Fake DeepSeek AI Installers, Websites, and Apps Spreading Malware

At least four different threat actors have been identified as involved in an updated version of a massive ad fraud and residential proxy scheme called BADBOX, painting a picture of an interconnected cybercrime ecosystem.
This includes SalesTracker Group, MoYu Group, Lemon Group, and LongTV, according to new findings from the HUMAN Satori Threat Intelligence and Research team, published in

BADBOX 2.0 Botnet Infects 1 Million Android Devices for Ad Fraud and Proxy Abuse

Spring Break vacationers could open themselves up to online scams and cyberthreats this year, according to new research from Malwarebytes.

This year, Spring Break vacationers are packing more than their flip-flops, bucket hats, and sunglasses—they’re also packing a few cybersecurity anxieties for the trip.

According to new research from Malwarebytes, 52% of people said they “worry about being scammed while traveling,” while another 40% admitted that they “worry about my kids or family sharing trip details online.” While most people said they will act on these concerns—63% will make sure their security software is up to date, 53% will back up their data—roughly 10% of people said they will take no precautions whatsoever into protecting their security or privacy while on vacation.

The findings reveal that the public approaches cybersecurity as a patchwork quilt, implementing some best practices while forgoing others, and engaging in a few behaviors that carry significant risk online.

For this research, Malwarebytes conducted a pulse survey of its customers in March via the Alchemer Survey Platform.

Broadly, Malwarebytes found that:

*   52% of people “agreed” or “strongly agreed” that they “worry about being scammed while traveling.”
*   20% of people “agreed” or “strongly agreed” that they “don’t really think about protecting my data while traveling.”
*   38% of people said they will book their next travel opportunity through a “general search,” which could leave them vulnerable to malvertising.
*   Apps are a way of life, as 66% of people said they use between one and six apps specifically for travel (such as hotel apps, airline apps, and translation apps). A particularly plugged-in 8% of people said they manage more than seven apps for the same purposes.
*   To stay cybersecure and private on vacation, the majority of people will backup their data (53%), ensure their security software is up to date (63%), and set up credit card transaction alerts (56%), but 10% will take none of these—or other—steps.
*   53% of people refuse to take a single laptop with them on vacation, whereas just 1% leave even their smartphone behind—talk about a holiday.

****Risky business break****

The cybersecurity risks around personal vacations are unlike those around the holidays for major organizations and businesses, in which cybercriminals know that low staffing will leave companies more vulnerable to an attack or breach.

Instead, far-flung Spring Breakers can engage in a series of behaviors both before and during their holidays that leave them open to online scams and theft.

Take, for example, the 38% of people who told Malwarebytes that they would conduct a “general search online” in booking their next vacation. While Google searches are probably one of the most common tasks for any vacation planning, the results that people see can be manipulated through a type of cybercrime called malvertising, short for “malicious advertising.” 

In malvertising, cybercriminals will create a fake website that looks like a popular service, like Facebook, Slack, or eBay. Cybercriminals will also pay a small sum so that these fake websites show up near the top of Google’s sponsored results for relevant searches. Once users click on the websites, which appear legitimate, they’re tricked into downloading malware or handing over sensitive information to scammers.

A safer option for vacationers is to book travel directly with an airline or hotel chain. Many participants wrote this approach into the Malwarebytes survey when selecting the “Other” option (14%). Interestingly, the 29% of respondents who said they use a travel agent for booking likely also receive some extra safeguards, simply because another, experienced, person is involved in the process.

But in the same way that cybercriminals have begun abusing Google search results to send victims to dangerous websites, they’ve also done the same to trick users into downloading fake versions of popular apps.

Android “phishing” apps are a serious threat to users today—Malwarebytes detected 22,800 of them last year alone—and, as we wrote before, they represent the next step in camouflaged cyber-scamming:

> “By disguising themselves as legitimate apps—including for services like TikTok, Spotify, and WhatsApp—Android phishing apps can trick victims into typing in their real usernames and passwords on bogus login screens that are controlled entirely by cybercriminals.”

The threat here endures long after the app is installed. If enough victims unwittingly send their passwords, cyber thieves could bundle the login credentials for sale on the dark web. Once the passwords are sold, the new, malicious owners will attempt to use individual passwords for a variety of common online accounts—testing whether, say, an email account password is the same one used for a victim’s online banking system, their mortgage payment platform, or their Social Security portal.

This wouldn’t be too much a problem if modern traveling didn’t involve so many apps.

According to our survey, 44% of people manage between two to four apps specifically for travel purposes, and 9% manage between five and six apps. And while 20% of people use zero apps for travel and 14% use just one app, there are 8% of people who rely on more than seven apps strictly for travel purposes.

That could include airlines apps, hotel apps, translation apps, and more. But as more apps help with traveling needs, more opportunities arise for those apps to be falsely emulated and maliciously advertised online.

As for what people do while physically on vacation, many engaged in online behaviors that could prove risky, but they can hardly be criticized for it.

For example, 25% of people said they scan QR codes while on vacation. These codes could lead people to malicious websites, but QR codes have become normalized at restaurants that no longer have physical menus. And 33% of people “log into financial institution sites or apps to manage \[their\] budget, check purchases, etc.” This type of activity was susceptible to online eavesdropping many years ago, but everyday internet connections have become far more secure in the past decade. That said, it’s inspiring to see that 41% of people “download or install a VPN” to provide an extra level of security when browsing on public Wi-Fi.

****Safe travels****

Cybersecurity is probably the last thing people want to “pack” before going away on a break, but, thankfully, it’s something that a majority of people said they do.

For instance, 63% said they “check that \[their\] security software is up to date,” while 53% said they “backup \[their\] data.” Similarly, 56% said they “set up credit card transaction alerts.” And while it isn’t quite a majority, 47% said they turn on “Find my Device” features which can help in case of a lost or stolen device. Interestingly, people do not commit to the same precautions for their bags—just 21% of survey participants said they “put a tracker in \[their\] luggage.”

Still, there’s progress to be made.

Not only did 10% of survey participants share that they take zero cybersecurity or data privacy precautions before traveling, but 20% also agreed or strongly agreed with the statement “I don’t really think about protecting my data while traveling.”

For safety abroad, here are a few tips travelers can take before and during their next vacation:

*   **Backup your data before you head out**. Losing a device or having it stolen while on vacation won’t just ruin the trip itself—it will return the return journey, too. Backing up your data will help ensure that any lost device doesn’t lead to lost files.
*   **Turn on “Find My” features**. To respond to a lost or stolen device, turn on the “Find My” features on iPhones and Androids before your vacation so you can track a device’s location in real time.
*   **Protect your devices with antivirus and cybersecurity tools**. Modern cybersecurity tools don’t just stop viruses from landing on your devices, they also warn you about dangerous websites and links that could steal your info.
*   **Update your software**. Ensure that your devices are running on the latest versions of their operating systems. This helps prevent any known weaknesses from being exploited by cybercriminals.
*   **Use a password manager and 2FA**. Your most sensitive accounts shouldn’t just have a unique password. They should also be protected by two-factor authentication, which requires more than a password for anyone to login.
*   **Consider a VPN**. If you are doing something sensitive online, it never hurts to use a VPN. Bonus: If you’re travelling to another country where your favourite streaming shows aren’t available, a VPN can help here too.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#android