Android+Malware | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have disclosed details of a new Android banking trojan called Sturnus that enables credential theft and full device takeover to conduct financial fraud. "A key differentiator is its ability to bypass encrypted messaging," ThreatFabric said in a report shared with The Hacker News. "By capturing content directly from the device screen after decryption, Sturnus can monitor communications via WhatsApp, Telegram, and Signal." Another notable feature is its ability to stage overlay attacks by serving fake login screens atop banking apps to capture victims' credentials. According to the Dutch mobile security company, Sturnus is privately operated and is currently assessed to be in the evaluation stage. Artifacts distributing the banking malware are listed below - Google Chrome ("com.klivkfbky.izaybebnx") Preemix Box ("com.uvxuthoq.noscjahae") The malware has been designed to specifically single out financial inst...

Cybersecurity researchers have disclosed details of a new Android remote access trojan (RAT) called Fantasy Hub that's sold on Russian-speaking Telegram channels under a Malware-as-a-Service (MaaS) model. According to its seller, the malware enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos, as well as intercept, reply, and delete incoming notifications. "It's a MaaS product with seller documentation, videos, and a bot-driven subscription model that helps novice attackers by providing a low barrier to entry," Zimperium researcher Vishnu Pratapagiri said in a report last week. "Because it targets financial workflows (fake windows for banks) and abuses the SMS handler role (for intercepting 2-factor SMS), it poses a direct threat to enterprise customers using BYOD and to any organization whose employees rely on mobile banking or sensitive mobile apps." The threat actor, in their...

The North Korea-affiliated threat actor known as Konni (aka Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia) has been attributed to a new set of attacks targeting both Android and Windows devices for data theft and remote control. "Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs," the Genians Security Center (GSC) said in a technical report. What's notable about the attacks targeting Android devices is also the destructive ability of the threat actors to exploit Google's asset tracking service, Find Hub (formerly Find My Device), to remotely reset victim devices, thereby leading to the unauthorized deletion of personal data. The activity was detected in early September 2025. The development marks the first time the hacking group has weaponized legitimate management functions to remotely reset mobile devices. The activity is also preceded by an attack chain in whi...

Cybersecurity researchers have shed light on two different Android trojans called BankBot-YNRK and DeliveryRAT that are capable of harvesting sensitive data from compromised devices. According to CYFIRMA, which analyzed three different samples of BankBot-YNRK, the malware incorporates features to sidestep analysis efforts by first checking its running within a virtualized or emulated environment, and then extracting device details such as the manufacturer and model name to ascertain if it's being executed on a real device. BankBot-YNRK also checks if the device is manufactured by Oppo, or is running on ColorOS, a version of the Android operating system that's used on devices made by the Chinese original equipment manufacturer (OEM). "The malware also includes logic to identify specific devices," CYFIRMA said. "It verifies whether the device is a Google Pixel or a Samsung device and checks if its model is included in a predefined list of recognized or suppo...

Cybersecurity researchers have disclosed details of a new Android banking trojan called Herodotus that has been observed in active campaigns targeting Italy and Brazil to conduct device takeover ( DTO ) attacks. "Herodotus is designed to perform device takeover while making first attempts to mimic human behaviour and bypass behaviour biometrics detection," ThreatFabric said in a report shared with The Hacker News. The Dutch security company said the Trojan was first advertised in underground forums on September 7, 2025, as part of the malware-as-a-service (MaaS) model, touting its ability to run on devices running Android version 9 to 16. It's assessed that while the malware is not a direct evolution of another banking malware known as Brokewell , it certainly appears to have taken certain parts of it to put together the new strain. This includes similarities in the obfuscation technique used, as well as direct mentions of Brokewell in Herodotus (e.g., "BRKWL_...

A rapidly evolving Android spyware campaign called ClayRat has targeted users in Russia using a mix of Telegram channels and lookalike phishing websites by impersonating popular apps like WhatsApp, Google Photos, TikTok, and YouTube as lures to install them. "Once active, the spyware can exfiltrate SMS messages, call logs, notifications, and device information; taking photos with the front camera; and even send SMS messages or place calls directly from the victim's device," Zimperium researcher Vishnu Pratapagiri said in a report shared with The Hacker News. The malware is also designed to propagate itself by sending malicious links to every contact in the victim's phone book, indicating aggressive tactics on the part of the attackers to leverage compromised devices as a distribution vector. The mobile security company said it has detected no less than 600 samples and 50 droppers over the last 90 days, with each successive iteration incorporating new layers of o...

Cybersecurity researchers have discovered two Android spyware campaigns dubbed ProSpy and ToSpy that impersonate apps like Signal and ToTok to target users in the United Arab Emirates (U.A.E.). Slovak cybersecurity company ESET said the malicious apps are distributed via fake websites and social engineering to trick unsuspecting users into downloading them. Once installed, both the spyware malware strains establish persistent access to compromised Android devices and exfiltrate data. "Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services," ESET researcher Lukáš Štefanko said . Notably, one of the websites distributing the ToSpy malware family mimicked the Samsung Galaxy Store, luring users into manually downloading and installing a malicious version of the ToTok app." The ProSpy campaign, discovered in June 2025, is believed to have been ongoing since 2024, ...

A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, with a majority of the infections reported in Spain and Italy. Italian fraud prevention firm Cleafy, which discovered the sophisticated malware and remote access trojan (RAT) in late August 2025, said it leverages Hidden Virtual Network Computing (VNC) for remote control of infected devices and dynamic overlays for facilitating credential theft, ultimately enabling fraudulent transactions. "Klopatra represents a significant evolution in mobile malware sophistication," security researchers Federico Valentini, Alessandro Strino, Simone Mattia, and Michele Roviello said . "It combines extensive use of native libraries with the integration of Virbox, a commercial-grade code protection suite, making it exceptionally difficult to detect and analyze." Evidence gathered from the malware's command-and-control (C2) infrastructure and linguistic clues in the associated...

Cybersecurity researchers have flagged a previously undocumented Android banking trojan called Datzbro that can conduct device takeover ( DTO ) attacks and perform fraudulent transactions by preying on the elderly. Dutch mobile security company ThreatFabric said it discovered the campaign in August 2025 after users in Australia reported scammers managing Facebook groups promoting "active senior trips." Some of the other territories targeted by the threat actors include Singapore, Malaysia, Canada, South Africa, and the U.K. The campaigns, it added, specifically focused on elderly people looking for social activities, trips, in-person meetings, and similar events. These Facebook groups have been found to share artificial intelligence (AI)-generated content, claiming to organize various activities for seniors. Should prospective targets express willingness to participate in these events, they are subsequently approached via Facebook Messenger or WhatsApp, where they are as...

A new Android malware called RatOn  has evolved from a basic tool capable of conducting Near Field Communication ( NFC ) relay attacks to a sophisticated remote access trojan with Automated Transfer System ( ATS ) capabilities to conduct device fraud. "RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality – making it a uniquely powerful threat," the Dutch mobile security company said in a report published today. The banking trojan comes fitted with account takeover functions targeting cryptocurrency wallet applications like MetaMask, Trust, Blockchain.com, and Phantom, while also capable of carrying out automated money transfers abusing George Česko, a bank application used in the Czech Republic. Furthermore, it can perform ransomware-like attacks using custom overlay pages and device locking. It's worth noting that a variant of the HOOK Android trojan was also observed incorporating ransomware-style overlay screens to d...

A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan. The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025. "The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity delivered a fake document related to the KMG IT department, mimicking official internal communication and leveraging themes such as policy updates, internal certification procedures, and salary adjustments," security researcher Subhajeet Singha said . The infection chain begins with a phishing email containing a ZIP attachment, which includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions written in both Russian and Kazakh to run a program named "KazMunayGaz_Viewer." The email, per the cybersecurity compa...

Cybersecurity researchers are calling attention to a new shift in the Android malware landscape where dropper apps, which are typically used to deliver banking trojans, to also distribute simpler malware such as SMS stealers and basic spyware. These campaigns are propagated via dropper apps masquerading as government or banking apps in India and other parts of Asia, ThreatFabric said in a report last week. The Dutch mobile security firm said the change is driven by recent security protections that Google has piloted in select markets like Singapore, Thailand, Brazil, and India to block sideloading of potentially suspicious apps requesting dangerous permissions like SMS messages and accessibility services , a heavily abused setting to carry out malicious actions on Android devices.  "Google Play Protect's defences, particularly the targeted Pilot Program, are increasingly effective at stopping risky apps before they run," the company said. "Second, actors want t...

Cybersecurity researchers have discovered a new variant of an Android banking trojan called HOOK that features ransomware-style overlay screens to display extortion messages. "A prominent characteristic of the latest variant is its capacity to deploy a full-screen ransomware overlay, which aims to coerce the victim into remitting a ransom payment," Zimperium zLabs researcher Vishnu Pratapagiri said . "This overlay presents an alarming '*WARNING*' message, alongside a wallet address and amount, both of which are dynamically retrieved from the command-and-control server." The mobile security company said the overlay is remotely initiated when the command "ransome" is issued by the C2 server. The overlay can be dismissed by the attacker by sending the "delete_ransome" command. HOOK is assessed to be an offshoot of the ERMAC banking trojan, which, coincidentally, had its source code leaked on a publicly accessible directory over the int...

Google has announced plans to begin verifying the identity of all developers who distribute apps on Android, even for those who distribute their software outside the Play Store. "Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices," the company said . "This creates crucial accountability, making it much harder for malicious actors to quickly distribute another harmful app after we take the first one down." To that end, the tech giant said it intends to start sending out invitations gradually starting October 2025, before opening it up to all developers in March 2026. The new requirements are expected to go into effect starting a year from now, in September 2026, in Brazil, Indonesia, Singapore, and Thailand. "At this point, any app installed on a certified Android device in these regions must be registered by a verified developer," Suzanne Frey, vice president of Product,...

Cybersecurity researchers have detailed the inner workings of an Android banking trojan called ERMAC 3.0, uncovering serious shortcomings in the operators' infrastructure. "The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications," Hunt.io said in a report. The latest iteration of the malware can send SMS or initiate phone calls to a phone number, set up call forwarding to a specified number, display custom push notification with, fetch Gmail email subject lines, take pictures using the front camera, launch overlays on top of financial apps, capture contact lists, SMS messages, installed apps, and remove itself from the device. ERMAC was first documented by ThreatFabric in September 2021, detailing its ability to conduct overlay attacks against hundreds of banking and cryptocurrency apps across the world. Attribut...

Cybersecurity researchers have disclosed a new Android trojan called PhantomCard that abuses near-field communication (NFC) to conduct relay attacks for facilitating fraudulent transactions in attacks targeting banking customers in Brazil. "PhantomCard relays NFC data from a victim's banking card to the fraudster's device," ThreatFabric said in a report. "PhantomCard is based on Chinese-originating NFC relay malware-as-a-service." The Android malware, distributed via fake Google Play web pages mimicking apps for card protection, goes by the name "Proteção Cartões" (package name "com.nfupay.s145" or "com.rc888.baxi.English"). The bogus pages also feature deceptive positive reviews to persuade victims into installing the app. It's currently not known how links to these pages are distributed, but it likely involves smishing or a similar social engineering technique. Once the app is installed and opened, it requests victim...

Google has released security updates to address multiple security flaws in Android, including fixes for two Qualcomm bugs that were flagged as actively exploited in the wild. The vulnerabilities include CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5), both of which were disclosed alongside CVE-2025-21480 (CVSS score: 8.6), by the chipmaker back in June 2025. CVE-2025-21479 relates to an incorrect authorization vulnerability in the Graphics component that could lead to memory corruption due to unauthorized command execution in GPU microcode. CVE-2025-27038, on the other hand, use-after-free vulnerability in the Graphics component that could result in memory corruption while rendering graphics using Adreno GPU drivers in Chrome. There are still no details on how these shortcomings have been weaponized in real-world attacks, but Qualcomm noted at the time that "there are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CV...