Doctor Web warns of Android.Backdoor.916.origin, a fake antivirus app that spies on Russian users by stealing data, streaming…

Doctor Web warns of Android.Backdoor.916.origin, a fake antivirus app that spies on Russian users by stealing data, streaming audio and video.

Cybersecurity researchers at Doctor Web are warning about a new strain of Android malware called Android.Backdoor.916.origin. The malware has been operational since January 2025 and is capable of listening to conversations, stealing messages, streaming video, and logging keystrokes.

This is the second time in the last four months that researchers have spotted malware targeting Russian infrastructure. **In April 2022**, Doctor Web exposed a fake Alpine Quest mapping app that was spying on the Russian military.

****Fake Anti-Virus Android App with Fake Results****

Doctor Web’s team believes it is not a mass infection attempt aimed at everyday Android owners, but a tool created to target Russian business representatives. The distribution method backs this theory as attackers are pushing the malware through direct messages in messengers, disguising it as an anti-virus called GuardCB.

The fake app uses a disguise to trick victims. Its icon resembles the emblem of the Russian Central Bank placed on a shield, making it look trustworthy. Once installed, it runs what looks like an antivirus scan, complete with fake detection results that are randomly generated to appear convincing.

_“_This is confirmed by other detected modifications with names like “SECURITY\_FSB”, “ФСБ” (FSB), and others, which cybercriminals are trying to pass off as security-related programs that are supposedly related to Russian law enforcement agencies,_“_ noted Dr Web researchers in their **blog post**.

Once installed, the backdoor requests a list of permissions, from geolocation and audio recording to camera access and SMS data. It also demands device administrator rights and access to Android’s Accessibility Service, which lets it act like a keylogger and intercept content from popular apps, including the following:

*   Gmail
*   Telegram
*   WhatsApp
*   Yandex Browser
*   Google Chrome

Malware asking for permissions in the Russian language (Via Doctor Web)

****Livestreaming Audio and Broadcast Video****

Doctor Web researchers explain that the malware is designed for persistence. It launches its own background services, checks if they are running every minute, and restarts them if needed. It also communicates with multiple command-and-control servers, capable of switching between as many as 15 hosting providers if attackers want to keep the infrastructure alive.

The list of available commands, available in Doctor Web’s report, shows the extent of its spying capabilities. It can livestream audio from a microphone, broadcast video from the camera, steal text as users type it, and upload contacts, SMS, images, and call history. Additionally, it even has the ability to stream a device’s screen in real time.

****Exploiting Android’s Accessibility Service****

The malware also takes advantage of Android’s Accessibility Service as a way to protect itself. This feature is abused not only to steal keystrokes but also to block attempts to remove the malware if attackers issue such a command. That self-protection capability means even if victims realize their device is compromised, removal can be difficult without dedicated security software.

Doctor Web notes that while the malware is advanced, it is also highly localized. Its interface is available only in Russian, supporting the view that it was built with a specific group of targets in mind.

If you are an Android user in Russia, only download apps from trusted sources and avoid letting Android’s open-source nature become an open invitation for hackers.

Fake Antivirus App Spreads Android Malware to Spy on Russian Users

A new exploit combining two critical, now-patched security flaws in SAP NetWeaver has emerged in the wild, putting organizations at risk of system compromise and data theft.
The exploit in question chains together CVE-2025-31324 and CVE-2025-42999 to bypass authentication and achieve remote code execution, SAP security company Onapsis said.

CVE-2025-31324 (CVSS score: 10.0) - Missing

Public Exploit for Chained SAP Flaws Exposes Unpatched Systems to Remote Code Execution

Power doesn’t just disappear in one big breach. It slips away in the small stuff—a patch that’s missed, a setting that’s wrong, a system no one is watching. Security usually doesn’t fail all at once; it breaks slowly, then suddenly. Staying safe isn’t about knowing everything—it’s about acting fast and clear before problems pile up. Clarity keeps control. Hesitation creates risk.
Here are this

⚡ Weekly Recap: NFC Fraud, Curly COMrades, N-able Exploits, Docker Backdoors & More

Plus: ICE agents accidentally add a random person to a sensitive group chat, Norwegian intelligence blames the Kremlin for hacking a dam, and new facial recognition vans roam the UK.

WIRED copublished an investigation this week with The Markup and CalMatters showing that dozens of data brokers have been hiding their opt-out and personal-data-deletion tools from Google Search, making it harder for people to find and utilize them. The report prompted US senator Maggie Hassan to demand accountability from the companies. WIRED also took a deep dive looking at what the data-analysis giant Palantir actually does.

Reports this week that Russia was likely involved in, or entirely behind, the US Courts records system breach highlight both the stakes of the incident and information that federal investigators seem to still be lacking about what exactly happened. New research is shedding light on the inner workings of the multimillion-dollar gray market for video game cheats. And we've got advice on how to protect yourself against portable point-of-sale scams that can steal your credit card data or other information. Plus, researchers at the Defcon security conference in Las Vegas last week provided open source instructions for how to build your own quantum sensor at low cost—complete with a special, crucial diamond.

But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Russia Limits Secure Calling on WhatsApp and Telegram**

Russia started blocking WhatsApp and Telegram calls this week, saying that the encryption schemes the communication platforms use to protect customer calls from interception violate information-sharing requirements between tech companies and the government. The platforms have close to 100 million users each in Russia, according to Al Jazeera and Mediascope. The Kremlin has spent years expanding its mechanisms for internet censorship and control, often under the guise of national security and law enforcement.

A WhatsApp spokesperson told WIRED in a statement that “WhatsApp is private, end-to-end encrypted, and defies government attempts to violate people’s right to secure communication, which is why Russia is trying to block it from over 100 million Russian people.”

Reuters reports that Telegram told Russia's RBC Daily that it takes steps to address criminal behavior on its platform, including deploying moderators equipped with AI tools to monitor public discourse and communications on the platform that are not end-to-end encrypted. Telegram said it takes down millions of malicious messages each day.

**US ICE Agents Mistakenly Add Random Civilian to Highly Sensitive Group Chat**

ICE agents inadvertently added a random person to a group chat named “Mass Text,” exposing sensitive discussions including details about a manhunt for a convicted attempted murderer who apparently had been flagged for deportation. The person who was added to the group chat “is not a law enforcement official or associated with the investigation in any way,” according to 404 Media, and “initially thought it was a series of spam messages” after being added to the chat weeks ago.

Messages reportedly included the ICE Field Operations Worksheet for the case, which contains detailed information about the target, as well as communications in which ICE agents appeared to be accessing data from a DMV and license plate readers. The breach is reminiscent of so-called SignalGate, another recent situation in which senior Trump administration cabinet members accidentally included the editor in chief of The Atlantic in a Signal group chat created to plan US air strikes against Houthi rebels in Yemen.

**Norwegian Intelligence Chief Says Russian Hackers Were Behind Dam Cyberattack**

The head of Norway's security police service, Beate Gangås, said this week that it was Russian hackers who targeted a dam in Norway in April and released millions of gallons of water during the four hours that they had control. The Russian embassy denied the allegations in comments to Reuters. Gangås accused Russia of perpetrating the hack in a speech on Thursday, according to Norwegian media.

**English Police Forces Will Have Access to a New Fleet of Facial Recognition Vans**

Police in England will have more access to facial recognition tools. Ministers announced this week that law enforcement will deploy 10 live facial recognition vans around the country that will be used by seven police forces to aid in investigations related to “sex offenders or people wanted for the most serious crimes,” according to Home Secretary Yvette Cooper. Police have increasingly turned to facial recognition in the United Kingdom in recent years, but the vans will represent an additional expansion in England.

Russia Is Cracking Down on End-to-End Encrypted Calls

Four men from Ghana were extradited for their alleged role in stealing more than $100 million through romance scams and BEC.

The Department of Justice (DOJ) extradited and indicted 4 Ghanaian nationals for allegedly stealing more than $100 million, mainly through romance scams and business email compromises.

According to a report from Comparitech, nearly 59,000 Americans fell victim to romance scams in 2024, losing an estimated $697.3 million. Our own research from last year showed that 10% of romance scam victims lose more than $10,000. The overall true cost is believed to be vastly higher than official reports, as many cases go unreported due to victims’ shame and difficulty tracing scammers.

Many of the scammers work offshore from countries where the chances of them getting apprehended are slim. But US Attorney Jay Clayton stated:

> “Offshore scammers should know that we, the FBI, and our law enforcement partners will work around the world to combat online fraud and bring perpetrators to justice.”

The four men are accused of being leaders of a criminal organization based in Ghana which committed romance scams and business email compromises against individuals and businesses located across the US.

Their victims were mostly older men and women tricked into believing they were engaging in a romantic relationship online. These “relationships” sometimes start as a harmless text or by a direct message on social media and dating apps. Soon the scammer will suggest to take the conversation to a more secure platform like WhatsApp or Telegram.

The scammers will take the time to get to know you and assess what the best approach is to deceive you. Most of the time they are after your money, but sometimes they are after information. These scammers may also use other people, who are often younger, as money mules.

The people entailed in romance scams are courted and lavished with attention, until it’s time to cash in. Then the scammer suddenly needs money for travel, an illness, or other made-up reasons. Some scammers also lure victims with a supposed, great investment opportunity that you can’t afford to miss—which will turn out great for them, not the victim.

The four Ghanaian men are facing multiple charges including wire fraud, money laundering, receiving stolen money and more. In total each is facing a maximum sentence of 75 years in prison if convicted on all the charges.

**Stay safe from romance scammers**

The scale of losses from romance scams often eclipses that of many other types of reported consumer fraud or internet crime, demonstrating the high financial risk entailed in these emotional exploitation schemes.

So, it’s important to understand how these scams operate and how you can stay safe. Some of these tips may seem basic, but in these cases, it’s easy for people to mistake their online relationship with the scammer for a real one. This isn’t the fault of scam victims—it is just a symptom of how effective these scam methods are.

*   Don’t send money or disclose sensitive information to anyone you have never met in person.
*   Take it slow and read back answers. Scammers usually have a playbook, but sometimes you can spot inconsistencies in their answers.
*   **Don’t do this alone**. Allow someone in your life to share this with. Their perspective may keep your feet on the ground.
*   Cut them off early. As soon as you expect you are dealing with a scammer, stop responding. Don’t fall for sob stories or even physical threats they’ll use to keep the connection alive.
*   Check their profile picture in an online search. You may find other profiles with the same picture. This is a huge red flag.
*   The move to a “safer platform” is another red flag. They are not doing this for privacy reasons, but to stay under the radar of the platform where they first contacted you.
*   Consult with a financial advisor or investment professional who can provide an objective opinion if you’re offered an investment opportunity.
*   If you encounter something suspicious, report it to the appropriate authorities—such as local law enforcement or the FBI via its Internet Crime Complaint Center. Your action could prevent others from falling victim.  
*   Share examples (anonymized) to help others. One way to do this is to use Malwarebytes Scam Guard, which also helps you assess if a message is a scam or not.

**We don’t just report on scans—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 Romance scammers in Ghana charged with more than $100 million in theft 

Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the issue.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-55675

**Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access**

Moderate severity GitHub Reviewed Published Aug 14, 2025 to the GitHub Advisory Database • Updated Aug 14, 2025

**Package**

pip apache-superset (pip)

**Affected versions**

< 5.0.0

Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource\_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the issue.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2025-55675
*   https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33

Published to the GitHub Advisory Database

Aug 14, 2025

Last updated

Aug 14, 2025

GHSA-mhpq-m962-mg92: Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access

The breach of the US Courts records system came to light more than a month after the attack was discovered. Details about what was exposed—and who’s responsible—remain unclear.

The second Trump administration has its first federal cybersecurity debacle to deal with.

A breach of the United States federal judiciary’s electronic case filing system, discovered around July 4, has pushed some courts onto backup paper-filing plans after the hack compromised sealed court records and possibly exposed the identities of confidential informants and cooperating witnesses across multiple US states.

More than a month after the discovery of the breach—and in spite of recent reports from The New York Times and Politico that Russia was involved in perpetrating the hack—it is still unclear exactly what happened and which data and systems were affected.

Politico first reported the breach of the “case management/electronic case files,” or CM/ECF, system, which may have impacted criminal dockets, arrest warrants, and sealed indictments. The CM/ECF system also suffered a breach in 2020 during the first Trump administration, and Politico reported on Tuesday that, in the recent attack, hackers exploited software vulnerabilities that remained unaddressed after being discovered five years ago in response to that first incident. Security researchers say that gaps in public information about the situation are concerning, particularly when it comes to lack of clarity on what data was affected.

“We're more than a month into detecting this intrusion and still don't have a full accounting of what's impacted,” says Jake Williams, a former NSA hacker and current vice president of research and development at Hunter Strategy. “If we don't have sufficient logging to reconstruct attack activity, that would be extremely disappointing, because this system has been repeatedly targeted over the years.”

In response to a request for comment, the United States Courts referred WIRED to its August 7 statement, which says the federal judiciary “is taking additional steps to strengthen protections for sensitive case documents” and “further enhancing security of the system.” The courts also mention that the “vast majority of documents filed with the Judiciary’s electronic case management system are not confidential and indeed are readily available to the public,” while conceding that “some filings contain confidential or proprietary information that are sealed from public view.”

The Department of Justice did not immediately respond to requests for comment about the scope of the breach or who perpetrated it.

Reports this week that Russia was involved in the attack or may be the sole perpetrator have been difficult to interpret, given other indications that espionage actors backed by multiple countries—and possibly organized crime syndicates—may have been involved in or piggybacking on the breach for their own exfiltration.

John Hultquist, chief analyst in Google's Threat Intelligence Group, says it is not uncommon to see multiple actors poking at a sensitive, and potentially vulnerable, system. “Investigations are regularly targeted by cyberespionage actors from several countries,” he says.

News of the breach comes as the Trump administration has continued to slash the federal workforce, including combing intelligence and cybersecurity agencies to remove officials or pressure them to resign.

“I think federal investigators probably know who was behind the attack, but given the climate, I would suspect that no one wants to say with certainty,” Hunter Strategy's Williams says.

Multiple administrations have struggled to get a handle on insidious espionage operations, particularly campaigns perpetrated by Chinese and Russian actors. But researchers emphasize that vulnerabilities enabling the attack on CM/ECF should have been addressed after the 2021 breach.

“Enforcing policies to require that sealed or highly sensitive documents be handled via air-gapped systems or secure isolated networks rather than through CM/ECF or PACER would have dramatically limited exposure. And this was actually recommended post-2021,” says Tim Peck, senior threat researcher at the cybersecurity firm Securonix. “Instituting consistent, centralized logging—among other things—across all disparate CM/ECF instances could have enabled earlier detection and rapid mitigation before data exfiltration escalated as far as it did.”

In other words, highly targeted systems like those of the US Courts are likely going to suffer breaches. But the best way to reduce the likelihood and severity of these attacks is to make sure flaws actually get fixed after they're first exploited.

The First Federal Cybersecurity Disaster of Trump 2.0 Has Arrived

The US court filing system, which houses court records and sealed filings, was reportedly hacked by Russians seeking sensitive documents.

Russia is after secret files in the US court system, according to reports this week—and its hackers appear to have reached at least some of them.

Last week, news broke of a successful cyberattack against the decades-old US court filing system. Called Case Management/Electronic Case Files (CM/ECF), courts use the system to file and maintain documentation for legal cases around the country, which in turn can be accessed through a public portal called PACER. The attack happened as early ago as the first week of July, and possibly before that.

Now, investigators say that Russia is at least partly responsible for the hack, which they described in the New York Times as a multi-year effort to compromise the system.

What would Russian hackers be looking for? Many court documents are accessible via PACER for a small fee (or via other sites such as CourtListener for free). But CM/ECF also hosts many sensitive, sealed documents that are not available to the general public. These would be a treasure trove to those with criminal and/or nation-state connections.

Indeed, the targeted documents were those with overseas ties, according to the NYT report, which said that the attack has targeted at least eight district courts. Chief judges there were asked to move sensitive cases out of CM/ECF. At least one judge, for the Eastern District of New York, issued an order forbidding sealed documents to be directly uploaded there.

Experts have already warned that court files are the crown jewels for cyber attackers.

“Experience has shown that the Judiciary is a high-value target for malicious actors and cyber criminals seeking to misappropriate confidential information and disrupt the judicial process in the United States,” said Michael Y. Scudder Jr., chair of the Committee on IT of the Judicial Conference on Courts, testifying to Congress in June this year.

He mentioned that in 2024 alone, the judiciary’s security team blocked 200 million harmful events from reaching local court networks, adding that attacks were becoming more sophisticated over time.

This isn’t the first time that attackers have made it through the filing system’s defenses. In 2021, CM/ECF suffered a major cybersecurity breach, as reported by the Judiciary at the time, later revealed to have involved three hostile foreign actors, per Politico.

The Judiciary is also in the process of modernizing the filing system, Scudder said. That would mean replacing CM/ECF, which was first introduced in the mid-nineties. PACER is also up for replacement.

However, a replacement has been on the cards since at least 2022, when the Judiciary discussed its refresh plans.

The US government runs on technology systems, having moved away from paper. But those systems are often in dire need of modernization. In July, the US Government Accountability Office released an update to a 2019 audit of government IT systems. Of the ten critical legacy systems most in need of modernization back then, only three have been addressed as of this February. Some of the oldest legacy systems, operated by the Department of Defense and the Treasury, date back to before Neil Armstrong first walked on the moon.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Russians hacked US courts, say investigators 

Scammers are using the age old tactic of scaring victims into clicking by sending out fake product recall messages from Amazon.

Scammers are using the age old tactic of scaring victims into clicking by sending out fake product recall messages from Amazon.

The text message tells you that the item does not meet Amazon’s standards, and tries to install some urgency by claiming it is not safe to use. It also includes a link where it says you can find more information and claim a refund.

> “Amazon Safety Recall: We are contacting you because the product you purchased is being recalled. This recall is due to quality and safety issues. We urge you to stop using the product immediately and contact us to arrange a full refund. You can view your order details at the following link:
> 
> Safety Recall: Order Number:#-142-15261-31435 Your safety is our top priority, please visit our website for more details and instructions. We apologize for the inconvenience and disappointment this may cause you.
> 
> Thank you for shopping at Amazon.”

Of course the link doesn’t go anywhere near Amazon, it’s actually a shortened URL that sends you to amazonzbzc\[.\]co. This is a known phishing site that mimics Amazon, and is after your personal information or to steal your money.

The text messages are intentionally vague about the nature of the product or the exact issue they are being recalled for. This is done so a maximum number of people will think that this might concern them. If the scammers said that the TV you bought might explode, you wouldn’t click the link if you hadn’t purchased a TV recently.

The Federal Trade Commission even issued a warning about these scams back in July, illustrating how this type of scam tactic is growing.

**How to avoid Amazon phishing scams**

*   If you receive a text like this, don’t click on any links. Instead, check if it’s legit by logging in to the Amazon app or website, then going to **Message Centre** under **Your Account**. Legitimate messages from Amazon will appear there.
*   Report the scam to Amazon itself, whether you’ve fallen for it or not. US citizens can send unwanted texts to 7726(SPAM) or use the **Report Junk** option.
*   Set up two-step verification for your Amazon account. This puts an extra barrier between you and the scammers if they do manage to get hold of your login details.
*   Scammers sometimes use information they’ve found online to personalize their scam messages. Check what information is already out there about you using our free Digital Footprint Scanner and then remove or change as much of it as you can.
*   Install web protection that can warn you of phishing sites, card skimmers, and other nasties that could lead to your data being taken.
*   Lastly, if you’ve fallen for this or a similar scam, change your Amazon password and anywhere else you use that password. Also, make sure to monitor your card statements for any unfamiliar charges, and contact your bank immediately if you see anything suspicious.

**We don’t just report on scans—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 That &#8220;Amazon Safety Recall&#8221; message may well be a scam 

TeaOnHer turns out to be at least as leaky as its female counterpart, Tea Dating Advice app.

Last week we reported about some serious leaks in Tea Dating Advice, an app that provides a space for women to exchange information about men they know, have met, or have dated in the past.

The app aims to provide a platform where people can share relevant information about, say, potentially abusive partners. However, it leaked images and private messages, leading to 10 potential class action lawsuits in federal and state courts for negligent data practices.

Now it has been revealed that the male equivalent, TeaOnHer, has exposed users’ personal information as well, including government IDs and selfies.

TeaOnHer, which ranks high in the Lifestyle apps category for iOS, allows men to share photos and information about women they have dated. It appears to have been designed with a sense of vengeance against the Tea Dating Advice app: It uses similar language in the App Store description, and as it turns out, it’s just as leaky.

TechCrunch reports it found at least one vulnerability that allows any user access to other users’ email addresses, driver’s licenses, self-reported location, and selfies. Perhaps most distressingly, the news outlet also discovered that guest users could view explicit images of women, likely shared without consent.

TechCrunch also found an email address and password of the app’s creator. Although it didn’t test that hypothesis for legal reasons, it seems likely using those credentials might provide access to the administrator panel of the app.

It is disappointing that apps made for sharing private information and ranked so high in the App Store apparently have such a poor security standard.

TeaOnHer’s creator did not respond to emails from TechCrunch asking where to report the flaws, so TechCrunch only shared the fact that the flaws exist without going into much detail. This is commendable given the sensitivity of the shared data.

****Protecting yourself after a data breach****

While there are no indications that anyone else has accessed this data, it is an option we can’t ignore. There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

Tag

#sap