Droid Tools

Tag: malware

  • Critical Snapdragon Exploit Takes Over Devices in Just 5 Minutes – What You Need to Know

    Critical Snapdragon Exploit Takes Over Devices in Just 5 Minutes – What You Need to Know

    Kaspersky ICS CERT has publicly detailed a critical hardware vulnerability hitting a wide array of Qualcomm Snapdragon chipsets. The exploit, presented at Black Hat Asia 2026 on April 23 and tracked as CVE-2026-25262, has rattled the security community. First confirmed by Qualcomm in April 2025, full technical details are now available, exposing a backdoor capable of total device takeover and data destruction.

    snapdragon exploit takes over device

    The Sahara Protocol and BootROM Flaw

    The issue lies deep in the BootROM, the silicon-hardcoded firmware that runs first when a device powers up. Because this code is etched into the hardware itself, standard OTA software updates can’t touch it, making patches nearly impossible.

    Researchers uncovered a major weakness in Qualcomm‘s Sahara protocol handling. For those who work with device flashing, Sahara manages low-level communication in Emergency Download (EDL) mode to load critical software before the main OS starts.

    With just a few minutes of physical access, attackers can exploit this to sidestep the entire secure boot chain. Once inside the application processor, they gain the ability to:

    • Install persistent backdoors that survive reboots.
    • Pull sensitive data like passwords, files, contacts, and real-time location.
    • Take over device sensors for covert camera and microphone access.

    The malware even fakes a system reboot to throw off users. Clearing the infection often requires draining the battery completely to wipe volatile memory, and detection remains extremely challenging.

    Affected Chipsets and Devices

    While newer flagships like Snapdragon 8 Elite have stronger defenses, this flaw hits many older and mid-range chips still in widespread use.

    Vulnerable Qualcomm Chipsets:

    • MSM8916 (Snapdragon 410) (Xiaomi REDMI 2)
    • SDX50 (Xiaomi Mi MIX 3 5G and Mi 9 Pro 5G)
    • MDM9x07
    • MDM9x45 (Xiaomi Mi 5, Mi 5s, Mi 5s Plus, Mi Note 2, Mi MIX)
    • MDM9x65
    • MSM8909
    • MSM8952

    Real-World Impact

    Physical access requirements limit mass remote attacks, but the risk to supply chains, repair shops, and targeted users remains severe. Compromised devices turn into perfect surveillance tools. With hardware deployed across consumer REDMI phones to industrial IoT systems, the potential fallout spans far beyond typical mobile threats.

    Source: Kaspersky

  • Warning: Infected apps are making phones tap ads without users knowing

    Warning: Infected apps are making phones tap ads without users knowing

    Two groups of researchers have found two new, distinct types of malware that function similarly and are embedded in a variety of programs that are accessible through different channels. Worst of all, the standard advice to “don’t install apps from strange sites” is less helpful because some of them are even available on the Google Play Store.

    Although these two pieces of malware appear to be distinct, they function similarly. They exploit the functions of your phone to click on advertisements nonstop, slowing it down and significantly depleting its battery.

    featured image malware

    Virtual screens, real ads

    Researchers at the mobile security company Dr.Web found the latest recent spyware, which has not yet been named. Bleeping Computer revealed the discovery. This malware makes use of the TensorFlow.js framework that Google distributed with Android phones to enable machine learning operations in browsers.

    And it works: when the malware is activated, it creates a virtual (false) screen where it shows and clicks on advertisements. Compared to more traditional ad-clickers, the clicks appear far more natural due to the usage of a machine learning technique. However, it has an equally detrimental effect on your device as earlier malware, with notable effects on battery life and processing speed.

    Even worse, the app allows attackers to interact with the fake display as needed by opening a permanent livestream on your device.

    Interestingly, Xiaomi’s GetApps software catalog is where the apps originates. Dr.Web claims that the malware is introduced after the apps are uploaded, avoiding all possible security measures.

    inevitably, third-party app websites like Apkmody and Moddroid have also been severely compromised by the malware. Researchers assert that both the latter’s Editor’s Choice list and “premium” versions of apps like Spotify that may be accessible on Telegram channels are rife with compromised apps.

  • Dangerous Android malware quietly targets and empties bank accounts

    Dangerous Android malware quietly targets and empties bank accounts

    We recently reported about another type of banking Android malware that operates in the background and leverages accessibility settings to steal data, including passwords and bank credentials. More malware that allows remote attacks on Android devices and is freely disseminated among hackers as part of a subscription service has just been disclosed.

    More banking malware on the loose

    Dangerous Android malware quietly targets and empties bank accounts

    A new Android trojanware known as Albiriox has been found by researchers at the online fraud protection company Cleafy. Albiriox is disseminated through what are referred to as “dummy” or infected APKs to deceive users into downloading real apps, much as Sturnus, the malware that was discovered last week.

    Hackers have tricked people by making phony copies of Google Play Store app listings, as Android Authority noted. As a result, potential victims may think they are downloading an app from a secure site when, in fact, they are not. Additionally, hackers have enticed victims by posting fictitious offers and promotions, requesting contact information, and then distributing the malicious APKs via well-known messaging services like Telegram and WhatsApp.

    The research group claims that hackers in Russia and other nearby regions have been the primary users of these approaches. After being disseminated as a Malware-as-a-Service (MaaS) on dark web forums, it is reported to have lately acquired popularity.

    The “install unknown apps” permission on users’ devices is mostly enabled via the APK files that hackers disseminate. The current (and destructive) program containing Albiriox is installed by the dropper app after that is activated.

    According to Android Authority, the research organization has already caught over 400 fraudulent apps that target consumers in categories including banking, fintech, digital payments, and cryptocurrencies. Instead than obtaining users’ login credentials, these software versions enable hackers to conduct transactions directly on users’ banking apps.

    You should be wary of any strange programs you install, especially if they appear to be connected to banking or any other financial service, as the malware works more covertly and silently. Make sure you have the most recent Play Protect update installed and that you only download apps from the official Google Play Store app.

    In terms of updates, make sure your device has the most recent firmware that is supported, as this contains patches for vulnerabilities that have just been discovered. Similarly, Google has published the December Android Security Bulletin.

  • New Android malware copies card data and PINs for instant ATM cashouts

    New Android malware copies card data and PINs for instant ATM cashouts

    A new Android-based spyware that leverages NFC technology to make illegal ATM cash withdrawals and empty victims’ bank accounts was examined by the Polish Computer Emergency Response Team (CERT Polska).

    Researchers discovered that the software, known as NGate, allows attackers to use banking information stolen from victims’ phones to withdraw money from ATMs (Automated Teller Machines, or cash machines) without actually taking the cards.

    NFC is a wireless technology that enables close-quarters communication between gadgets like terminals, cellphones, and payment cards. Therefore, rather of stealing your bank card, the attackers use a mobile phone infected with the NGate virus to record NFC (Near Field Communication) activities and send that transaction data to ATM equipment. Instead of being relayed just via radio, the stolen data in NGate’s situation is transmitted over the network to the attackers’ servers.

    There are several “flavors” of NFC. Some generate a static code, like the card that opens the door to my apartment complex. I can use a gadget like my “Flipper Zero” to open the door by just copying that type of signal. However, dynamic codes are used by sophisticated contactless payment cards, such as your Visa or Mastercard debit and credit cards. Your card’s chip creates a unique, one-time code (commonly referred to as a cryptogram or token) each time you use the NFC. This code is unique and cannot be reused.

    That’s why the NGate malware is more advanced. It does more than just pick up a signal from your card. The victim must be duped into entering their PIN and completing a tap-to-pay or card-verification activity after the phone has been compromised. When that occurs, the app records every piece of information required for an NFC transaction, including the card number, new one-time codes, and other information created at that same moment.

    android malware steals data nfc

    All of the NFC data, including the PIN, is then immediately sent to the attacker’s handset via the virus. The attacker uses the codes right away to mimic your card at an ATM because they are newly produced and only valid for a brief period of time. The accomplice at the ATM displays the collected data using a card-emulating device, such as a phone, smartwatch, or bespoke hardware.

    However, as you may guess, social engineering and preparation are necessary to be prepared at an ATM when the data arrives.

    Attackers must first infect the victim’s device with malware. They usually send prospective victims phishing emails or SMS messages. They frequently try to create anxiety or urgency by claiming that there is a technical or security problem with their bank account. Occasionally, they make a follow-up call while posing as representatives of the bank. These calls or texts instruct victims to download a phony “banking” app from an unofficial source, like a direct link rather than Google Play.

    After installation, the software requests permissions and guides users through fictitious “card verification” procedures. While an accomplice waits at an ATM to cash out, the objective is to persuade victims to act swiftly and trustingly.

    Stay safe:

    NGate only functions when your phone is compromised and you are duped into entering your PIN and starting a tap-to-pay action on the phony banking app. Therefore, the greatest defense against this infection is to protect your phone and be on the lookout for social engineering:

    • Stick to trusted sources. Download apps only from Google Play, Apple’s App Store, or the official provider. Your bank will never ask you to use another source.
    • Protect your devices. Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware.
    • Do not engage with unsolicited callers. If someone claims to be from your bank, tell them you’ll call them back at the number you have on file.
    • Ignore suspicious texts. Do not respond to or act upon unsolicited messages, no matter how harmless or urgent they seem.
    malwarebytes

    Malwarebytes Mobile Security

    Malwarebytes is an anti-malware software for Windows, macOS, ChromeOS, Android, and iOS that finds and removes malware.

    FreePlay Store

    Malwarebytes for Android detects these banking Trojans as Android/Trojan.Spy.NGate.C; Android/Trojan.Agent.SIB01022b454eH140; Android/Trojan.Agent.SIB01c84b1237H62; Android/Trojan.Spy.Generic.AUR9552b53bH2756 and Android/Trojan.Banker.AURf26adb59C19.

  • Over 42 million downloads: malicious Android apps found on Google Play

    Over 42 million downloads: malicious Android apps found on Google Play

    According to a survey by cloud security firm Zscaler, hundreds of malicious Android apps on Google Play were downloaded over 40 million times between June 2024 and May 2025.

    The company saw a 67% year-over-year increase in malware that targeted mobile devices during that time, with banking trojans and spyware being the most common threats.

    According to telemetry data, threat actors are leveraging phishing, smishing, SIM-swapping, and payment frauds to take advantage of mobile payments instead of traditional card fraud.

    Malicious Android apps found on Google Play

    The shift to social engineering assaults can be explained by the widespread use of mobile payments and enhanced security standards like chip-and-PIN technology.

    According to Zscaler, “to carry out these assaults, fraudsters use phishing trojans and malicious programs designed to steal financial information and login passwords.”

    Zscaler estimates that it has found 239 harmful apps in the official Android store, with a total of 42 million downloads, compared to 200 malware apps on Google Play last year.

    The emergence of adware as the most significant threat in the Android ecosystem, which now accounts for over 69% of all detections—nearly twice as many as the previous year—is another noteworthy trend observed at that time.

    After leading with 38% the previous year, the Joker info-stealer is currently in second position with 23%.

    The SpyNote, SpyLoan, and BadBazaar families—which are used for identity theft, extortion, and surveillance—were the primary drivers of the notable 220% year-over-year (YoY) increase in spyware.

    Geographically speaking, 55% of all attacks were directed towards the United States, Canada, and India. Attacks against Israel and Italy also showed substantial increases, ranging from 800% to 4000% YoY, according to Zscaler.

    Malicious Android apps and malware

    In its annual study, Zscaler identifies three malware families that significantly affected Android users. The first is Anatsa, a banking trojan that occasionally enters Google Play through productivity and utility apps and receives hundreds of thousands of downloads each time.

    Since its discovery in 2020, anatsa has undergone continuous evolution. The most recent version is capable of stealing data from bitcoin sites, more than 831 financial institutions, and new areas like South Korea and Germany.

    The second is Android Void (Vo1d), a backdoor malware that targets Android TV boxes and has infected at least 1.6 million devices with out-of-date Android Open Source Project (AOSP) versions, mostly in Brazil and India.

    Malicious Android apps found on Google Play

    The third is Xnotice, a brand-new Android remote access trojan (RAT) that specifically targets job seekers in the oil and gas sector in Iran and Arabic-speaking areas.

    Xnotice propagates via applications that are disseminated through phony employment websites and pose as tools for registering for exams or applying for jobs.

    Through overlays, multi-factor authentication (MFA) codes, SMS messages, and screenshots, the spyware targets banking credentials.

    Users are encouraged to install security updates, only trust reliable publishers, reject or restrict accessibility permissions, refrain from downloading unnecessary apps, and routinely run Play Protect scans in order to protect themselves from Android malware threats, including those from Google Play.

    Routers continued to be the most targeted IoT equipment this year, according to Zscaler’s study. Hackers added routers to botnets or used them as proxies to spread malware by taking advantage of command injection flaws.

    The majority of IoT attacks took place in the United States, with rising hotbeds in Hong Kong, Germany, India, and China following, suggesting that attackers are targeting devices throughout a larger geographic area.

    The cybersecurity company advises businesses to harden IoT and cellular gateways by keeping an eye out for anomalies and implementing firmware-level protections, as well as to deploy zero-trust solutions for key networks.

    Strict application control guidelines, security against phishing attacks, and monitoring SIM-level communications for anomalies should all be part of mobile endpoint protections.

  • How to locate and remove “Stalkerware” from your device

    How to locate and remove “Stalkerware” from your device

    Even though your mobile device has many built-in safeguards to preserve your privacy and keep your data safe, it could still be subject to snooping if someone you know gains access to your accounts or installs hidden programs, or stalkerware, that follow you about. These malicious apps may spy on you by taking use of permissions and built-in capabilities on your Android or iPhone. Here’s how to find stalkerware on your smartphone and get rid of it.

    What is a stalkerware?

    Stalkerware is a type of malware that tracks and monitors your device’s activities, including messages, images, and location in real time, without your permission. Most frequently, stalkerware is an app that is downloaded straight to your device. It can be hidden from your home screen or masqueraded as something normal to make it harder for you to spot anything fishy. TechCrunch points out that Cocospy, Spyic, and TheTruthSpy are examples of popular stalkerware applications. Stalkerware can be installed or side-loaded from unapproved sources other than the Apple and Google Play stores.

    Large data usage on your device, a warmer or slower-than-normal phone, a faster-than-normal battery drain, an increase in screen time, and odd alerts are some potential indicators of stalkerware (and other dangerous programs). But stalkerware can exist without any of these problems. The Coalition Against Stalkerware claims that a typical indicator of monitoring isn’t really related to your phone’s technological features: Instead, it’s the stalker’s altered conduct or awareness of your actions.

    Keep in mind that although stalkerware apps are one way for someone to secretly monitor you, other phone settings, such backups, location sharing, and Google and Apple accounts that are controlled or accessible by someone else, can also be misused.

    If you think your phone may be compromised, you should consult Cornell University’s Clinic to End Tech Abuse (CETA), which offers comprehensive resources for detecting and eliminating stalkerware as well as other security measures to protect your device from eavesdropping.

    Create a safety plan first

    You must have a safety plan in place before trying to remove stalkerware from your device or alter shared access to your accounts and apps. The danger of abuse or harassment may rise if monitoring applications are removed or permissions are updated, alerting the person who installed them. A list of organizations and services for survivor aid in various nations may be found on the Coalition Against Stalkerware.

    Eliminating stalkerware also has the potential to destroy any evidence you might need to provide to law police if you intend to report the occurrence. You might want to record your experiences in a journal.

    stalkerware

    Check for unrecognized apps

    Even without an icon on the home screen, you can still access installed apps in your device’s settings. This can be found in the settings app on both iOS and Android, under the Apps or App management option. (On iOS, you have to scroll all the way to the bottom of the list to see hidden apps.) Keep an eye out for anything unfamiliar.

    You should look for any apps listed under this section of your settings because stalkerware on Android may exploit the access granted by your device’s accessibility mode. You can have a harmful program installed if you don’t use accessibility features or don’t identify an app. Device admin settings may potentially be exploited by stalkerware. Go to Device Admin App under Settings > Security. Nothing should be included here for the majority of personal devices.

    Review app permissions and settings

    Because stalkerware may misuse access to your device’s data, permissions are another approach to spot questionable programs. In your settings, you can view permissions for each individual app, including location, camera, microphone, and keyboard access. TechCrunch advises carefully examining which third-party apps on Android have access to your notifications, as this permits monitoring of your messages and alerts (check your device settings for Special app access).

    To control permissions and sharing with people and apps, utilize Apple’s Safety Check feature (Settings > Privacy & Security > Safety Check) if you’re running iOS 16 or later. Among other settings, you can update your passcode, reset system privacy permissions, switch devices linked to your Apple account, and verify who you are sharing information with. There is a Quick Exit button in case you need to exit with a single push, as well as an Emergency Reset option that will instantly stop transmitting all data from your device.

    Use this CETA guide to iOS safety if you don’t have Safety Check installed on your device or if you want to look into specific phone settings that might be sharing your data with someone else, such Family Sharing or text message forwarding.

    How to remove stalkerware from your device

    Getting a new phone, which you can and should lock down with a new PIN to stop someone with physical access to your device from installing dangerous apps, is the most drastic action you can take to avoid stalkerware.

    A factory reset is an additional choice that will remove all data and programs from your smartphone. This may be found in the Settings app on Android and Settings > General > Transfer or Reset iPhone on iOS (you can find the exact path on your device manufacturer’s support website). Keep in mind that any data that isn’t backed up, such contacts, messages, and pictures, will be lost. Even if you’re not positive whether your phone has a stalkerware program installed, a factory reset can be helpful. However, it could not resolve the problem if the spy still has access to the Google account or Apple ID linked to your device.

    Additionally, you can manually remove or uninstall programs from your device and utilize an antivirus app from a reliable provider to check for hidden and harmful apps (Google Play Protect can also do this on Android).

    After deleting stalkerware, make sure your device has a new lock screen passcode that is difficult for someone with physical access to figure out. You should also take precautions to secure your email and other accounts by using two-factor authentication and using strong, one-of-a-kind passwords.

  • How antivirus software secures your Android data from theft and loss 

    How antivirus software secures your Android data from theft and loss 

    Android devices are extremely popular, mainly due to their open-source model, wide range of device options, and affordability, which makes them appealing to a broad demographic and accessible to people from diverse incomes.  

    However, due to its popularity, it makes Android devices an easy target for attacks, resulting in multiple risks associated with storing sensitive data on mobile devices.  

    This is why it is important to secure Android devices and data against theft and loss, especially in the current digital landscape.  

    Threats that Android users face 

    If you haven’t installed a suitable antivirus for Android, you are opening yourself to multiple cybersecurity threats to your private data, which can result in the theft and loss of confidential information that can lead to financial losses. 

    Malware Threats 

    These include viruses, spyware, ransomware, and trojans, among other malware. They are harmful for a number of reasons, which sometimes overlap with each other. 

    • They are sometimes disguised as legitimate apps.
    • Monitor activity and collect data to send to attackers
    • They can steal sensitive information like banking credentials 
    • They can intercept communications to access confidential information 
    • It locks or encrypts files to demand a ransom in order to restore access. 

    Phishing attacks

    • These attackers can create apps that mimic legitimate ones or fake overlay screens to trick users into entering their credentials.
    • They can disguise themselves as popular services which are distributed through unofficial app stores, bypassing Google Play’s protections 
    • They can send deceptive messages that come from seemingly trusted sources to click on malicious links or input sensitive information. 
    • Some phishing apps can read information from the Android notification bar and access information like one-time passcodes, which can help bypass multifactor authentication.  

    Biggest data concerns for Android users 

    • Widespread privacy concerns: Android users actively seek ways to configure privacy settings on their devices. This is due to the majority of privacy-related concerns reflecting anxiety on how personal data is handled by the OS and popular apps.  
    • Excessive Data Collection and Sharing: Android devices often collect and share large amounts of user data with third parties, sometimes they don’t offer users a way to opt out. Google tracks Android phones using cookies, identifiers, and other data stores, often without user awareness. 
    • Security Vulnerabilities and Exploits: Android’s open nature and fragmented update system expose users to high-severity vulnerabilities. This includes zero-day exploits that lead to privilege escalation and remote code execution. 
    • Malicious Apps and Sideloading Risks: Android users are at risk of malicious apps, especially those installed outside of the official Google Play Store, which can bypass Google’s security checks. These apps can introduce malware, spyware, and stalkerware that compromise device security and user privacy.  
    • Insecure App Permissions and Poor Passcode Hygiene: Many users grant excessive permissions to apps, which increases the risk of data misuse or leakage. Weak or reused passwords and simple device passcodes make it easier for attackers to gain unauthorised access. 
    • Biometric and financial data exposure: Vulnerabilities in Android can put biometric data, like fingerprints, and financial information, like credit card details, leaving many devices exposed to known vulnerabilities for extended periods.  

    Built-in Android security features 

    Android devices come with their own set of security features that attempt to protect data stored on them.  

    • Google Play Protect: The official store for downloading apps, scans apps and actively monitors for malware and prompts users to uninstall apps that may be harmful. It also blocks apps from untrusted sources.  
    • Safe browsing and permission management: Alerts users when they attempt to visit dangerous sites, suspicious links, or files that may be harmful.  
    • Encryption and authentication: The devices come with encryption by default, which ensures all data is stored securely, and only someone with the PIN, password, or authentication can access the data and protect it if the device is lost or stolen. 
    • Find My Device: For locating or erasing data on lost devices. It prevents unauthorised access to personal data. 

    Why Additional Measures are Needed 

    There are several gaps in Android’s native security, such as delayed security updates from manufacturers and the risks of sideloading apps and using public Wi-Fi. This is why additional protection, such as antivirus software, is needed.  

    Scenarios where antivirus is especially important 

    • Handling sensitive data such as banking, work files, and personal information. 
    • Frequent connection to unsecured networks. 
    • Downloading apps from third-party sources. 

    How anti-virus software protects your data

    • Real-time malware protection and detection, and removal of these threats. 
    • This software blocks ransomware before device lockout occurs. 
    • It scans for phishing URLs and fraudulent websites before users access them. 
    • Conducts privacy audits to monitor app permissions and data access. 
    • Monitors for identity theft protection and aids with secure online payments. 
    • Some software has VPN and secure browsing features. 
    • Has in place a remote device location, lock, or wipe in case of loss or theft.

    What to be wary of

    • With Antivirus Software: Some apps contain vulnerabilities, like exposing the address book or allowing attackers to disable the antivirus software itself. Some also track user data and end up creating new risks instead of eliminating them. 
    • Google Play Protect: These and other official store apps are not always foolproof;  malicious apps are able to slip through the vetting process, and antivirus software that scans before and after installation can add a layer of defence. 
    • Making the Choice: When choosing the right software for you, you want a comprehensive malware detection, real-time protection and updates, privacy controls, app permission management, and additional tools like VPN, anti-theft, backup, and Data Loss Prevention (DLP). 

    DLP and Advanced Security Features of Antivirus Software 

    • It encrypts data in transit and at rest. 
    • Separates personal and corporate data for business users. 
    • Centralised password and access management. 
    • Remote wipe and selective data erasure for lost or stolen devices. 
    • App and domain whitelisting to restrict access. 

    Practices for Maximising Android Security

    • Keep operating system and apps updated: Install the latest Android OS and app updates to patch vulnerabilities and protect against new threats. 
    • Regular review app permissions: Check which permissions each app has and revoke those that are unnecessary. Only grant essential permissions for app functionality.  
    • Avoid downloading from untrusted sources: Download apps from the Google Play Store or reputable sources. Avoid third-party app stores, which are more likely to host malicious apps.  
    • Use strong passwords and enable biometric authentication: Use a strong PIN pattern for the lock screen, and use fingerprint or face access for added security. 
    • Enable remote tracking: Enables wiping features if devices are lost or stolen to protect confidential information. 

    Conclusion

    Installing antivirus software on Android devices helps protect the device’s data from being compromised and open to cyber threats. To make the most of your protection attempts, make use of built-in features in conjunction with a reputable antivirus solution for comprehensive protection.

  • Crocodilus malware takes Android users’ crypto wallet keys

    Crocodilus malware takes Android users’ crypto wallet keys

    Using a warning to backup the key to prevent losing access, a recently identified Android malware known as Crocodilus deceives users into entering the seed phrase for the bitcoin wallet.

    Despite being a recent banking malware, Crocodilus has fully functional capabilities to remotely control, take over the device, and collect data.

    According to researchers at the fraud prevention firm ThreatFabric, the malware is disseminated by a custom dropper that gets around security measures in Android 13 and later.

    crypto

    The dropper circumvents Accessibility Service limitations and installs the virus without activating Play Protect.

    Crocodilus is unique because it uses social engineering to force victims to divulge their crypto-wallet seed phrase.

    A screen overlay alerting users to “back up their wallet key in the settings within 12 hours” or risk losing your wallet is how it accomplishes this.

    “This social engineering trick guides the victim to navigate to their seed phrase (wallet key), allowing Crocodilus to harvest the text using its Accessibility Logger,” ThreatFabric explains.

    “With this information, attackers can seize full control of the wallet and drain it completely,” the researchers say.

    Crocodilus was seen to target customers in Spain and Turkey, including bank accounts from those two nations, during its initial operations. Based on the debug messages, it seems that the infection originated in Turkey.

    Although the exact mechanism of the first infection is unknown, users are usually duped into downloading droppers by malicious websites, phony SMS or social media advertisements, and third-party app shops.

    When Crocodilus is launched, it has access to Accessibility Services, which are typically designated for helping individuals with disabilities. These services allow Crocodilus to make navigation motions, monitor for app launches, and unlock screen content.

    crocodilus malware

    Crocodilus puts a phony overlay over the legitimate app when the victim accesses a targeted banking or cryptocurrency app in order to obtain the victim’s login information.

    The bot component of the malware supports a set of 23 commands that it can execute on the device, including:

    • Enable call forwarding
    • Launch a specific application
    • Post a push notification
    • Send SMS to all contacts or a specified number
    • Get SMS messages
    • Request Device Admin privileges
    • Enable a black overlay
    • Enable/disable sound
    • Lock screen
    • Make itself the default SMS manager

    Additionally, the malware has remote access trojan (RAT) capabilities that let its operators swipe, tap, and browse the user interface, among other things.

    To collect one-time password codes used for two-factor authentication account protection, a specific RAT command is also available to snap a screenshot of the Google Authenticator application.

    To conceal the activity from the victim and give the impression that the device is locked, Crocodilus operators can mute the device and activate a black screen overlay while doing these tasks.

    Crocodilus may soon expand its activities and add more apps to its target list, even if it currently seems to be targeting only Spain and Turkey.

    It is recommended that Android users make sure Play Protect is constantly enabled on their devices and refrain from downloading APKs from sources other than Google Play.

  • BadBox 2.0 more than 1 million Android devices infected – how to stay safe

    BadBox 2.0 more than 1 million Android devices infected – how to stay safe

    Together with Google, Trend Micro, The Shadowserver Foundation, and other partners, researchers from HUMAN’s Satori Threat Intelligence team were able to take down BadBox 2.0, the biggest network of compromised connected TV sets.

    The BadBox malware typically comes pre-installed on TV streaming boxes, smart TVs, tablets, digital projectors, or smartphones, and it infects a botnet of off-brand Android devices. As a backup backdoor distribution method, threat actors in this instance also ran hundreds of versions of well-known programs. Thankfully, 24 malicious “evil twin” apps that were distributing this virus were found and taken down from the Google Play Store by HUMAN’s researchers.

    They were successful in sink-holing communications to the malicious domains used by the hackers behind this effort, disrupting the botnet on more than 500,000 Android devices in total. In order to stop the compromised devices from contacting the command-and-control (C2) servers that the hackers have set up, the researchers have taken control of thousands of these BadBox 2.0 domains. This allows them to keep an eye on the connections and collect information on the botnet.

    badbox malware

    What is BadBox 2.0?

    BadBox 2.0 is a malware-based botnet that commits fraud and other criminal activities using less expensive, off-brand Android handsets. In October 2023, the original BadBox virus was disabled or rendered dormant, having infected 74,000 devices.

    This new version, BadBox 2.0, has infected more than 1 million devices according to HUMAN. The majority of the infections appear to be focused on Brazil (37.6%), followed by the U.S. (18.2%), Mexico (6.3%) and Argentina (5.3%).

    The compromised devices, which include, among other things, video projectors, smartphones, tablets, smart TVs, and Android TV streaming boxes, frequently come with malware pre-installed by the manufacturer. Alternatively, malicious “evil twin” software or firmware downloads infect them and add them to the botnet. “The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices,” HUMAN said in a blog post.

    How to protect yourself from BadBox 2.0

    Google has already established a Play Protect enforcement rule to alert users and prevent the installation of apps linked to BadBox 2.0 on any certified Android devices, as well as deleted the dangerous apps found by HUMAN’s researchers from the Play Store.

    BadBox cannot be completely removed, though, because the search engine behemoth is unable to disinfect Android devices that are not Play Protect. The very bottom of Human’s report, which is mentioned above, has a list of devices that are known to be impacted by the current version of BadBox. It is unlikely that you will be able to upgrade your gadget with clean firmware if it is on that list. Disconnecting that gadget from the internet or, better yet, switching it out for a certified device from a reliable manufacturer is your safest course of action.

    “If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results.” a Google spokesperson explained in a statement to BleepingComputer. “Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. Users should ensure Google Play Protect, Android’s malware protection that is one by default on devices with Google Play Services, is enabled.”

    Avoid purchasing AOSP-based Android devices, such as off-brand TV boxes, that do not officially support Google Play Services if you want to be safe. Additionally, on whatever top streaming device you are using right now, always be sure to keep your firmware updated and apply the most recent security updates as soon as they are released.

    Additionally, you should only use apps from the Google Play Store and other official app shops and refrain from sideloading them. Similarly, while not in use, Android TV devices can be made offline by disabling their remote access functions. If your devices have unintentionally joined a botnet, this might offer an additional layer of protection to safeguard your data and equipment.

    Investing in one of the top mesh Wi-Fi systems with integrated security software or one of the best Wi-Fi routers may also be worthwhile.

  • Chrome’s cookie encryption has been broken by the new Glove infostealer malware.

    Chrome’s cookie encryption has been broken by the new Glove infostealer malware.

    The new Glove Stealer malware can collect browser cookies by getting past Google Chrome’s Application-Bound (App-Bound) encryption. This information-stealing virus is “very simple and contains limited obfuscation or protective features,” suggesting that it is most likely still in its early stages of development, according to Gen Digital security researchers who first discovered it when looking into a recent phishing attempt.

    During their attacks, the threat actors used social engineering tactics similar to those used in the ClickFix infection chain, where potential victims get tricked into installing malware using fake error windows displayed within HTML files attached to the phishing emails.

    Glove Stealer

    Cookies from Firefox and Chromium-based browsers (such as Chrome, Edge, Brave, Yandex, and Opera) can be extracted and exfiltrated by the Glove Stealer.NET virus.

    Additionally, it can collect password information from Bitwarden, LastPass, and KeePass, cryptocurrency wallets from browser extensions, 2FA session tokens from Google, Microsoft, Aegis, and LastPass authenticator apps, and emails from mail programs like Thunderbird.

    “Other than stealing private data from browsers, it also tries to exfiltrate sensitive information from a list of 280 browser extensions and more than 80 locally installed applications,” said malware researcher Jan Rubín.

    “These extensions and applications typically involve cryptocurrency wallets, 2FA authenticators, password managers, email clients and others.”

    Glove Stealer bypasses Google’s App-Bound encryption cookie-theft safeguards, which were implemented by Chrome 127 in July, in order to steal credentials from Chromium web browsers. It accomplishes this by employing a supporting module that decrypts and recovers App-Bound encrypted keys using Chrome’s own COM-based IElevator Windows service (running with SYSTEM rights), as outlined by security researcher Alexander Hagenah last month.

    To install this module in the Program Files directory of Google Chrome and utilize it to recover encrypted keys, the virus must first obtain local administrator capabilities on the infected PCs.

    However, despite its attractive appearance, Glove Stealer is still in its early stages of development since, as researcher g0njxa told BleepingComputer in October, it is a simple technique that most other information thieves have already accomplished to collect cookies from all Google Chrome versions.

    Russian Panda, a malware analyst, previously told BleepingComputer that Hagenah’s technique resembles early workarounds used by other viruses following Google’s introduction of Chrome App-Bound encryption.

    When Google told BleepingComputer last month that “this code [xaitax’s] requires admin credentials, which shows that we have successfully upped the degree of access required to properly pull off this type of assault,” Unfortunately, the number of active information-stealing malware campaigns has not decreased significantly despite the requirement for administrator access to circumvent App-Bound encryption.

    Attacks have only increased since July when Google first implemented App-Bound encryption, targeting potential victims via vulnerable driverszero-day vulnerabilitiesmalvertising, spearphishingStackOverflow answers, and fake fixes to GitHub issues.