Latest news with #malware
Yahoo
4 hours ago
- Yahoo
This Android malware poses as real apps to take you to dangerous sites and flood your phone with spam
When you buy through links on our articles, Future and its syndication partners may earn a commission. A new version of the Konfety malware that attacks the best Android phones now uses distorted APK files as well as other methods in order to avoid being detected and analyzed. As reported by Bleeping Computer, this latest Konfety malware strain, which is neither spyware nor a remote access trojan, can pretend it is a legitimate app by copying both the branding and names of real apps from the Google Play Store. Konfety mimics real products available on the Play Store, though it does not reproduce the same functionality of those apps. Likewise, it's distributed and promoted through third-party stores. This is a method that researchers have sometimes called a 'decoy twin' or 'evil twin' tactic, and is exactly why it is recommended to only download software from trusted publishers and to avoid installing APK files from third-party app stores. Still, some users will resort to searching on these marketplaces for supposedly free versions of popular apps either because they don't have access to Google services as their Android device isn't supported or because they don't want to pay for legitimate software. Here's everything you need to know about this new Android threat including some tips and tricks to help keep your phone safe from hackers and malware free. Hiding in plain sight Once Konfety has been installed on a victim's device it uses a malformed ZIP structure to avoid analysis and detection, and will begin its malicious behavior. It can redirect users to dangerous websites, install unwanted apps and provide fake browser notifications. Additionally, it can produce ads using a CaramelAds SKD and exfiltrate device data like installed apps, network configuration and system information. Thanks to the capabilities of this latest version, it can also hide its app icon and name, and then use geofencing to alter its behavior depending on the region the device is located in. It performs all its nefarious hidden features courtesy of an encrypted DEX file inside the APK which is loaded and decrypted during runtime, and contains hidden services declared in the AndroidManifest file which allows for the delivery of more dangerous modules. Konfety also manipulates the APK files to confuse and break static analysis and reverse engineering tools by signaling that the file is encrypted when it is not, which triggers a false password prompt when trying to inspect the file. This can block or delay access to the APKs contents. Next, critical files within the APK are declared using BZIP compression, which is not supported by analysis tools and this results in a parsing failure. Android ignores the declared method and returns to the default processing which allows Konfety to install and run on the device without issue. How to stay safe from Android malware First and foremost, to avoid falling victim to the Konfety malware and other Android malware strains, it's essential that you don't sideload apps on your devices. While it may seem convenient, doing so puts you at serious risk from malware, adware, spyware and other threats. The reason being is that sideloaded apps from third-party app stores or those downloaded as APK files don't go through the same rigorous security checks that they would on the Google Play Store or other first-party app stores like the Samsung Galaxy Store. From there, you want to make sure that Google Play Protect is enabled on your Android phone. This pre-installed security app scans all of your existing apps and any new ones you download for malware. For extra protection though, you may also want to install and run one of the best Android antivirus apps alongside it. Malicious apps are one of the easiest ways for hackers and other cybercriminals to establish a foothold on your devices, so they likely won't be going anywhere anytime soon. Instead, it's up to you to carefully vet each and every app you download and install. You also want to keep in mind that if an app sounds too good to be true, it probably is. By sticking to official, first-party app stores and by limiting the number of apps you have installed on your phone overall, you should be able to safely avoid this new version of Konfety and other Android malware strains entirely. Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button. More from Tom's Guide 5.4 million hit in major healthcare data breach — names, emails, SSNs and more exposed Google Gemini flaw exploited to turn AI-powered email summaries into the perfect phishing tool — everything you need to know This new Android attack could trick you into compromising your own phone — everything you need to know
Yahoo
4 hours ago
- Yahoo
More than 250 malicious apps are spreading info-stealing malware on Android and iOS — delete these right now
When you buy through links on our articles, Future and its syndication partners may earn a commission. You can never be too careful when downloading a new app to your iPhone or Android phone as what may look harmless on the surface could actually be a malicious app designed to infect your device with malware. Case in point, the mobile security firm Zimperium has discovered a new malware campaign which targets users of the best iPhones and best Android phones with over 250 malicious apps spread via 80+ malicious domains. What sets this particular campaign apart is that in addition to posing as utility apps, many of the malicious apps used in it also posed as dating apps along with file sharing ones and car service platforms. Once installed on a vulnerable smartphone, the apps were then used to download a dangerous info-stealing malware capable of stealing all sorts of sensitive personal data including a victim's contacts and even their photos. The hackers behind this campaign then took things a step further, threatening to extort victims by leaking their private info and photos to their contacts or online if their demands weren't met. Here's everything you need to know about this new malware campaign along with some tips and tricks to help you stay safe from malicious apps and the dangers they pose to both your data and your devices. Delete these apps right now Before we go into the campaign itself and how it worked, you should first check your phone to make sure that you haven't installed any of the apps below. If you have, you're going to want to manually delete them from your devices: Pilatess Mfile Zcloud Haikiss WhaleS KingCloud Acloud Cloud-k AceCloud Lovelush LOVESS Slovehome Erotic-s BKing I've highlighted just a few of them above but you can see the full list here (Google Sheet). If you take a closer look at the names of these malicious apps, you'll notice that many of them are in Korean which makes sense given that this campaign mainly targeted users in South Korea. Given that anyone could have shared a link to one of the malicious domains hosting these fake apps, iPhone and Android users worldwide could be impacted. Either way, it's always a good idea to take a closer look at all of the apps you have installed and to delete any you don't recognize or haven't used in a while. From phishing sites to fake apps In a blog post detailing the inner workings of this new campaign dubbed SarangTrap, Zimperium's security researchers explain that potential victims are first tricked into visiting carefully crafted phishing sites. These are designed to impersonate popular brands and app stores which not only adds legitimacy to the campaign but may also entice users to download these bad apps. Once installed, these fake apps lure users in with slick user interfaces while requesting access to loads of unnecessary permissions with the caveat that they won't work without them. To make these apps seem more exclusive, especially the ones posing as dating apps, users are also prompted to enter a valid invitation code. After being entered, this invitation code is sent to a hacker-controlled server for validation after which, these malicious apps then request access to the sensitive permissions they'll use to infect a device with malware and steal personal info from it. Besides acting as a lure, this process allows the malware to remain undetected by the best antivirus software and other security solutions designed to stop malicious activity from bad apps. With the necessary permissions in hand, these fake apps reveal their true nature. While they look slick and polished at first, they contain no dating features or other functionality at all. Instead, they're just a facade used by the hackers behind this campaign to gain a foothold on vulnerable devices from which they can then steal all sorts of valuable sensitive data. When it comes to the types of data the malware spread by these fake apps is able to steal, it can download a victim's phone number and device identifiers along with all their photos and text messages. With all this info, the hackers behind this campaign can easily extort victims, though they could also bundle it altogether and sell this data to other cybercriminals to use in their own attacks. Surprisingly, in addition to malicious Android apps, this campaign also uses a deceptive mobile configuration profile to go after iPhone users. By installing this profile on an iPhone, the hackers are able to steal much of the same sensitive data on iOS including a victim's contacts and photos. How to stay safe from malicious apps Just like with new software on your computer, you always need to be careful when installing new apps on your phone, especially as we now have so much personal and even financial info on our mobile devices. For starters, you want to avoid sideloading apps or installing apps from unknown sources or websites. If you're taken to a site trying to get you to install an app instead of to an official app store like the Google Play Store or Apple's App Store, this is a major red flag and a great indication that you should avoid this particular app altogether. When you install a new app on your devices, you want to pay close attention to the types of permissions it requests the first time that you open it. While it makes sense for a messaging app to request access to your text messages, it definitely doesn't when a dating app does so. If any permissions seem odd or unnecessary, this is another red flag that something could be off with a particular app. Besides being extra careful when installing new apps, I highly recommend that you limit the number of apps on your phone overall. Having a lot of apps installed makes it difficult to find malicious ones and even good apps can go bad when injected with malicious code. The fewer apps you have, the less likely it is that one of them will be malicious or turn malicious later. If you're using an Android phone, you want to make sure that Google Play Protect is enabled as this pre-installed security solution scans all of the new apps you download as well as all of your existing apps for malware. For extra protection though, you may also want to consider running one of the best Android antivirus apps alongside it. While there isn't an iPhone equivalent of these apps due to Apple's own restrictions, the best Mac antivirus software from Intego can scan your iPhone or iPad for malware when plugged into your Mac via a USB cable. Given that downloading and installing a malicious app even accidentally can have very serious consequences, you may also want to invest in one of the best identity theft protection services. They can help you get your identity back after having it stolen as well as compensate you for any funds lost to fraud or a cyberattack. Malicious apps are the easiest way for hackers to establish a foothold on your devices and gain leverage over you and your data which is why they aren't going anywhere anytime soon. This is why it's up to you to be proactive as well as careful when it comes to which apps you download and where you download them from. Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button. More from Tom's Guide Your Ring cameras weren't hacked over the weekend — here's what actually happened 12 signs your phone has been hacked — and what to do next This Android malware poses as real apps to take you to dangerous sites and flood your phone with spam
The Herald
7 hours ago
- Business
- The Herald
Hackers target Treasury, servers isolated as team assesses malware
The National Treasury says it identified malware on its infrastructure reporting and monitoring (IRM) website on Tuesday afternoon. The IRM servers were isolated for its staff to assess the magnitude of the compromise and to ensure the security of its systems. In light of Microsoft's recent warning of attacks on software globally, the Treasury said it has contacted the tech giant to check for and address potential vulnerabilities in its information and communication technology (ICT) environment. Despite this, the Treasury said its systems and websites continue to operate normally without any disruption. 'The National Treasury's ICT department processes more than 200,000 e-mails each day and facilitates more than 400,000 user connections through their websites daily,' it said. 'On average, the ICT team successfully detects and blocks about 5,800 security threats directed at Treasury systems every day, showcasing the department's commitment to maintaining a secure digital environment. These threats encompass a range of malicious activities, including phishing attempts, malware infections and spam attacks.' TimesLIVE
Zawya
10 hours ago
- Zawya
Acronis uncovers sophisticated malware campaign targeting gamers; Saudi Arabia, Qatar, and Türkiye among most impacted
Dubai, United Arab Emirates – The Acronis Threat Research Unit (TRU) has uncovered details of a sophisticated, consumer-focused malware campaign exploiting the global popularity of online gaming—an industry valued at over US$7 billion in the Middle East alone and projected to grow rapidly as young, digitally native audiences fuel demand. The researchers identified that among the most impacted countries globally are three Middle East nations — Saudi Arabia, Qatar, and Türkiye. This underscores the urgent need for awareness among regional gamers who are particularly active on platforms like Discord, where much of the malicious content is distributed. The campaign targets consumers, particularly gamers aged 18–35. Victims are lured with what appear to be beta versions of indie games such as Baruda Quest, Warstorm Fire, and Dire Talon, but instead what ends up being downloaded is infostealer malware like Leet Stealer, RMC Stealer, and Sniffer Stealer. This malicious software steals sensitive information including login credentials, payment details, and crypto wallets and can result in account takeovers, financial loss, and extortion. Unlike most malware that focuses on corporate networks, this campaign exploits the enthusiasm of the gaming community, particularly those eager to access unreleased or early-access content. 'This campaign is notable for its sophistication and its focus on what could be considered a highly tech-savvy demograhic,' said Jozsef Gegeny, Senior Researcher at Acronis TRU. 'Our team uncovered the threat by analysing a wave of suspicious files and websites masquerading as legitimate game content, which were spreading largely undetected by major antivirus tools. While enterprises are often protected by managed service providers and robust defences, consumers remain highly exposed to such risks. That's why it's important for the cybersecurity community to shine a light on threats that target individuals and not just corporations.' The attackers use stolen branding, fake promotional websites, and even dedicated YouTube channels to make the games appear authentic. Popular platforms like Discord are used to share links to fake installers, taking advantage of the trust gamers place in these communities. Acronis found malware disguised as downloaders which displayed convincing errors during installation to mask their true intent. The campaign, first observed spreading in Brazil and the United States, has now been seen globally, with the Middle East emerging as a key hotspot given its young and highly engaged gaming population. 'We strongly urge gamers to remain vigilant, only download games and beta content from official stores or verified developer websites, and enable multi-factor authentication wherever possible,' added Gegeny. 'This campaign shows that even well-informed users can be tricked, especially when malware evades detection by mainstream antivirus tools. Extra caution and awareness are the best defences against such complex and convincing threats.' About Acronis Acronis is a global cyber protection company that provides natively integrated cybersecurity, data protection, and endpoint management for managed service providers (MSPs), small and medium businesses (SMBs), and enterprise IT departments. Acronis solutions are highly efficient and designed to identify, prevent, detect, respond, remediate, and recover from modern cyberthreats with minimal downtime, ensuring data integrity and business continuity. Acronis offers the most comprehensive security solution on the market for MSPs with its unique ability to meet the needs of diverse and distributed IT environments. A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect is available in 26 languages in 150 countries and is used by over 21,000 service providers to protect over 750,000 businesses.
Forbes
a day ago
- Business
- Forbes
Microsoft Ties SharePoint Exploits To China-Backed ToolShell Group
China-linked hackers are exploiting a critical SharePoint flaw to deploy ToolShell malware, ... More bypassing patches and compromising organizations across key sectors. Microsoft has linked a wave of SharePoint Server attacks to a China-based threat actor using a tool called ToolShell. The attackers exploited CVE-2025-53770, a critical remote code execution vulnerability in SharePoint Server, to gain unauthorized access to vulnerable systems—even after patches were released. The campaign began as early as April 2025 and has affected more than 100 organizations, including government agencies, schools and energy companies. This attack illustrates the dangers of persistent, strategic compromise. And it shows just how well-resourced and adaptive nation-state attackers can be—especially when defenders stick to the usual playbook. A Closer Look at CVE-2025-53770 CVE-2025-53770 is a deserialization flaw in SharePoint Server with a critical CVSS rating of 9.8. It allows attackers to send a specially crafted request and run arbitrary code on the system. From there, they can deploy malware, access internal networks and maintain control for future operations. What makes this more dangerous is that attackers are chaining this vulnerability with others—such as CVE-2025-49704 and CVE-2025-49706—to bypass security patches issued in May. Once the foothold is established, even patched systems can remain compromised. ToolShell Reappears The campaign is driven by a modified version of ToolShell, a remote access trojan that's been previously linked to Chinese espionage groups. In this case, ToolShell is integrated into SharePoint workflows, allowing attackers to blend into normal traffic, evade detection and operate freely inside the network. Nation-State Attribution and a Growing Threat Landscape Microsoft's Threat Intelligence team has formally attributed the campaign to a China-based threat actor. But according to Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, the threat has already expanded beyond a single source. 'We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor. It's critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well,' Carmakal warned. In other words, the window between state-sponsored discovery and broader criminal adoption is shrinking fast. Gabrielle Hempel, Security Operations Strategist at Exabeam, sees clear echoes of the 2021 Exchange server attacks in this campaign. 'Yet again, we're seeing a Microsoft enterprise product exploited at scale, with self-hosted deployments as the primary point of failure,' she noted. 'These environments generally remain low-hanging fruit due to patching delays and overexposed internal access.' Hempel also emphasized the operational complexity of these attacks. 'These attackers aren't just out to steal data, but gain remote access, drop malware and move laterally. Organizations should be treating this as a full domain compromise event and not just a SharePoint-specific incident.' Patching Isn't Enough This campaign underscores a frustrating but important truth in cybersecurity: patching alone is not enough. While Microsoft did release a patch for CVE-2025-53770, attackers already inside those systems could maintain persistence using other tools and chained exploits. In some cases, attackers gained access before the patch was available. In others, organizations failed to patch quickly—or correctly—leaving them vulnerable. Once ToolShell is deployed, it's not just about SharePoint anymore. It's about what else attackers can reach from there. What Organizations Need to Do Now Microsoft and other experts recommend several immediate steps: As Hempel pointed out, many security teams lack visibility into SharePoint logs or internal network movement. 'We will likely see ripple effects from breaches of this vulnerability across PCI, HIPAA, ISO 27001, NIST 800-171 and even DFARS/CMMC,' she warned. Rethinking Hybrid Security SharePoint's widespread use and the mix of on-prem and cloud deployments make it a prime target. Many organizations have moved to cloud-based platforms, but legacy on-prem systems often remain in place—and underprotected. This campaign is a reminder that defending hybrid environments requires more than patching and monitoring the perimeter. It demands real visibility, fast detection and a plan for persistence. Nation-state attackers do not rely on zero-days alone. They leverage known flaws, chain exploits and adapt faster than most organizations can respond. The compromise isn't coming. For many, it's already here.
