Android | Breaking Cybersecurity News | The Hacker News

A new Android malware called RatOn  has evolved from a basic tool capable of conducting Near Field Communication ( NFC ) relay attacks to a sophisticated remote access trojan with Automated Transfer System ( ATS ) capabilities to conduct device fraud. "RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality – making it a uniquely powerful threat," the Dutch mobile security company said in a report published today. The banking trojan comes fitted with account takeover functions targeting cryptocurrency wallet applications like MetaMask, Trust, Blockchain.com, and Phantom, while also capable of carrying out automated money transfers abusing George Česko, a bank application used in the Czech Republic. Furthermore, it can perform ransomware-like attacks using custom overlay pages and device locking. It's worth noting that a variant of the HOOK Android trojan was also observed incorporating ransomware-style overlay screens to d...

A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan. The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025. "The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity delivered a fake document related to the KMG IT department, mimicking official internal communication and leveraging themes such as policy updates, internal certification procedures, and salary adjustments," security researcher Subhajeet Singha said . The infection chain begins with a phishing email containing a ZIP attachment, which includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions written in both Russian and Kazakh to run a program named "KazMunayGaz_Viewer." The email, per the cybersecurity compa...

Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks. The vulnerabilities are listed below - CVE-2025-38352 (CVSS score: 7.4) - A privilege escalation flaw in the Linux Kernel component  CVE-2025-48543 (CVSS score: N/A) - A privilege escalation flaw in the Android Runtime component Google said both vulnerabilities could lead to local escalation of privilege with no additional execution privileges needed. It also noted that no user interaction is required for exploitation. The tech giant did not reveal how the issues have been weaponized in real-world attacks and if they are being put to use in tandem, but acknowledged there are indications of "limited, targeted exploitation." Benoît Sevens of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the upstream Lin...

Cybersecurity researchers are calling attention to a new shift in the Android malware landscape where dropper apps, which are typically used to deliver banking trojans, to also distribute simpler malware such as SMS stealers and basic spyware. These campaigns are propagated via dropper apps masquerading as government or banking apps in India and other parts of Asia, ThreatFabric said in a report last week. The Dutch mobile security firm said the change is driven by recent security protections that Google has piloted in select markets like Singapore, Thailand, Brazil, and India to block sideloading of potentially suspicious apps requesting dangerous permissions like SMS messages and accessibility services , a heavily abused setting to carry out malicious actions on Android devices.  "Google Play Protect's defences, particularly the targeted Pilot Program, are increasingly effective at stopping risky apps before they run," the company said. "Second, actors want t...

Cybersecurity researchers have discovered a new variant of an Android banking trojan called HOOK that features ransomware-style overlay screens to display extortion messages. "A prominent characteristic of the latest variant is its capacity to deploy a full-screen ransomware overlay, which aims to coerce the victim into remitting a ransom payment," Zimperium zLabs researcher Vishnu Pratapagiri said . "This overlay presents an alarming '*WARNING*' message, alongside a wallet address and amount, both of which are dynamically retrieved from the command-and-control server." The mobile security company said the overlay is remotely initiated when the command "ransome" is issued by the C2 server. The overlay can be dismissed by the attacker by sending the "delete_ransome" command. HOOK is assessed to be an offshoot of the ERMAC banking trojan, which, coincidentally, had its source code leaked on a publicly accessible directory over the int...

Google has announced plans to begin verifying the identity of all developers who distribute apps on Android, even for those who distribute their software outside the Play Store. "Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices," the company said . "This creates crucial accountability, making it much harder for malicious actors to quickly distribute another harmful app after we take the first one down." To that end, the tech giant said it intends to start sending out invitations gradually starting October 2025, before opening it up to all developers in March 2026. The new requirements are expected to go into effect starting a year from now, in September 2026, in Brazil, Indonesia, Singapore, and Thailand. "At this point, any app installed on a certified Android device in these regions must be registered by a verified developer," Suzanne Frey, vice president of Product,...

Cybersecurity researchers have detailed the inner workings of an Android banking trojan called ERMAC 3.0, uncovering serious shortcomings in the operators' infrastructure. "The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications," Hunt.io said in a report. The latest iteration of the malware can send SMS or initiate phone calls to a phone number, set up call forwarding to a specified number, display custom push notification with, fetch Gmail email subject lines, take pictures using the front camera, launch overlays on top of financial apps, capture contact lists, SMS messages, installed apps, and remove itself from the device. ERMAC was first documented by ThreatFabric in September 2021, detailing its ability to conduct overlay attacks against hundreds of banking and cryptocurrency apps across the world. Attribut...

Cybersecurity researchers have disclosed a new Android trojan called PhantomCard that abuses near-field communication (NFC) to conduct relay attacks for facilitating fraudulent transactions in attacks targeting banking customers in Brazil. "PhantomCard relays NFC data from a victim's banking card to the fraudster's device," ThreatFabric said in a report. "PhantomCard is based on Chinese-originating NFC relay malware-as-a-service." The Android malware, distributed via fake Google Play web pages mimicking apps for card protection, goes by the name "Proteção Cartões" (package name "com.nfupay.s145" or "com.rc888.baxi.English"). The bogus pages also feature deceptive positive reviews to persuade victims into installing the app. It's currently not known how links to these pages are distributed, but it likely involves smishing or a similar social engineering technique. Once the app is installed and opened, it requests victim...

Google has released security updates to address multiple security flaws in Android, including fixes for two Qualcomm bugs that were flagged as actively exploited in the wild. The vulnerabilities include CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5), both of which were disclosed alongside CVE-2025-21480 (CVSS score: 8.6), by the chipmaker back in June 2025. CVE-2025-21479 relates to an incorrect authorization vulnerability in the Graphics component that could lead to memory corruption due to unauthorized command execution in GPU microcode. CVE-2025-27038, on the other hand, use-after-free vulnerability in the Graphics component that could result in memory corruption while rendering graphics using Adreno GPU drivers in Chrome. There are still no details on how these shortcomings have been weaponized in real-world attacks, but Qualcomm noted at the time that "there are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CV...

Cybersecurity researchers have discovered a new, large-scale mobile malware campaign that's targeting Android and iOS platforms with fake dating, social networking, cloud storage, and car service apps to steal sensitive personal data. The cross-platform threat has been codenamed SarangTrap by Zimperium zLabs. Users in South Korea appear to be the primary focus. "This extensive campaign involved over 250 malicious Android applications and more than 80 malicious domains, all disguised as legitimate dating and social media applications," security researcher Rajat Goyal said . The bogus domains, which impersonate legitimate app store listing pages, are used as a lure to trick users into installing these apps, resulting in the exfiltration of contact lists and images, all while keeping up an illusion of legitimacy. Once installed, the Android apps also prompt the victim to enter an invitation code, after which it's validated against a command-and-control (C2) server. ...

Cybersecurity researchers have unearthed new Android spyware artifacts that are likely affiliated with the Iranian Ministry of Intelligence and Security (MOIS) and have been distributed to targets by masquerading as VPN apps and Starlink, a satellite internet connection service offered by SpaceX. Mobile security vendor Lookout said it discovered four samples of a surveillanceware tool it tracks as DCHSpy one week after the onset of the Israel-Iran conflict last month. Exactly how many people may have installed these apps is not clear. "DCHSpy collects WhatsApp data, accounts, contacts, SMS, files, location, and call logs, and can record audio and take photos," security researchers Alemdar Islamoglu and Justin Albrecht said . First detected in July 2023, DCHSpy is assessed to be the handiwork of MuddyWater , an Iranian nation-state group tied to MOIS. The hacking crew is also called Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Se...

Google on Thursday revealed it's pursuing legal action in New York federal court against 25 unnamed individuals or entities in China for allegedly operating BADBOX 2.0 botnet and residential proxy infrastructure. "The BADBOX 2.0 botnet compromised over 10 million uncertified devices running Android's open-source software (Android Open Source Project), which lacks Google's security protections," the tech giant said . "Cybercriminals infected these devices with pre-installed malware and exploited them to conduct large-scale ad fraud and other digital crimes." The company said it immediately took steps to update Google Play Protect, a malware and unwanted software protection mechanism built into Android, to automatically thwart BADBOX-related apps. The development comes a little over a month after the U.S. Federal Bureau of Investigation (FBI) issued a warning about the BADBOX 2.0 botnet. BADBOX, first detected in late 2022, is known to spread via ...

Cybersecurity researchers have discovered a new, sophisticated variant of a known Android malware referred to as Konfety that leverages the evil twin technique to enable ad fraud. The sneaky approach essentially involves a scenario wherein two variants of an application share the same package name: A benign "decoy" app that's hosted on the Google Play Store and its evil twin, which is distributed via third-party sources. It's worth pointing out that the decoy apps don't have to be necessarily published by threat actors themselves and could be legitimate. The only caveat is that the malicious apps share the exact same package names as their real counterparts already available on the Play Store.  "The threat actors behind Konfety are highly adaptable, consistently altering their targeted ad networks and updating their methods to evade detection," Zimperium zLabs researcher Fernando Ortega said . "This latest variant demonstrates their sophisticat...

Cybersecurity researchers have discovered an Android banking malware campaign that has leveraged a trojan named Anatsa to target users in North America using malicious apps published on Google's official app marketplace. The malware, disguised as a "PDF Update" to a document viewer app, has been caught serving a deceptive overlay when users attempt to access their banking application, claiming the service has been temporarily suspended as part of scheduled maintenance. "This marks at least the third instance of Anatsa focusing its operations on mobile banking customers in the United States and Canada," Dutch mobile security company ThreatFabric said in a report shared with The Hacker News. "As with previous campaigns, Anatsa is being distributed via the official Google Play Store." Anatsa, also referred to as TeaBot and Toddler, has been known to be active since at least 2020, typically delivered to victims via dropper apps. Early last year, An...

Google has been ordered by a court in the U.S. state of California to pay $314 million over charges that it misused Android device users' cellular data when they were idle to passively send information to the company. The verdict marks an end to a legal class-action complaint that was originally filed in August 2019. In their lawsuit, the plaintiffs argued that Google's Android operating system leverages users' cellular data to transmit a "variety of information to Google" without their permission, even when their devices are kept in an idle state. "Although Google could make it so that these transfers happen only when the phones are connected to Wi-Fi, Google instead designed these transfers so they can also take place over a cellular network," they said. "Google's unauthorized use of their cellular data violates California law and requires Google to compensate Plaintiffs for the value of the cellular data that Google uses for its own be...

A mobile ad fraud operation dubbed IconAds that consisted of 352 Android apps has been disrupted, according to a new report from HUMAN. The identified apps were designed to load out-of-context ads on a user's screen and hide their icons from the device home screen launcher, making it harder for victims to remove them, per the company's Satori Threat Intelligence and Research Team. The apps have since been removed from the Play Store by Google. The ad fraud scheme accounted for 1.2 billion bid requests a day, at the height of its activity. The vast majority of IconAds-associated traffic originated from Brazil, Mexico, and the United States. It's worth noting that IconAds is a variant of a threat that's also tracked by other cybersecurity vendors under the names HiddenAds and Vapor , with the malicious apps repeatedly slipping past the Google Play Store since at least 2019 . Some of the common characteristics of these apps include the use of obfuscation to conceal...