New Android malware families like PixRevolution and BeatBanker are targeting Pix payments and banking apps. Stay vigilant and protect your devices. #CyberSecurity #AndroidMalware #PixRevolution #BeatBanker Link: thedailytechfeed.com/new-android-...

Six Android malware families are targeting banking apps, crypto wallets, and payment platforms.
PixRevolution, BeatBanker, TaxiSpy RAT, Mirax, Oblivion RAT, SURXRAT.
• Overlay attacks
• Real-time transaction hijacking
• Remote device surveillance...
#CyberSecurity #AndroidMalware #InfoSec #TechNadu

Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Cybersecurity researchers have discovered half-a-dozen new Android malware families that come with capabilities to steal data from compromised devices and conduct financial fraud. The Android malware range from traditional banking trojans like PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, and Oblivion RAT to full-fledged remote administration tools such as SURXRAT. PixRevolution, according to

iT4iNT SERVER Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets VDS VPS Cloud #AndroidMalware #Cybersecurity #BankingApps #CryptoWallets #DataTheft

Android malware campaign detected.
BeatBanker Android Trojan spreads via fake Google Play Store sites.
Targets crypto apps like Binance and Trust Wallet.
New samples deploy BTMOB Remote Access Trojan.
Follow TechNadu for potatosecurity updates.
#AndroidMalware #Infosec

Android malware campaign detected.
BeatBanker Android Trojan spreads via fake Google Play Store sites.
Targets crypto apps like Binance and Trust Wallet.
New samples deploy BTMOB Remote Access Trojan.
Follow TechNadu for cybersecurity updates.
#AndroidMalware #Infosec

New BeatBanker Android malware poses as Starlink app to hijack devices DEX code directly into memory read more about New BeatBanker Android malware poses as Starlink app to hijack devices

New BeatBanker Android malware poses as Starlink app to hijack devices reconbee.com/new-beatbank...

#beatbanker #androidmalware #stralinkapp #hijack #cybersecurity #cyberattack

Google Responds After Reports of Android Malware Leveraging Gemini AI There has been a steady integration of artificial intelligence into everyday digital services that has primarily been portrayed as a story of productivity and convenience. However, the same systems that were originally designed to assist users in interpreting complex tasks are now beginning to appear in much less benign circumstances.  According to security researchers, a new Android malware strain appears to be woven directly into Google's Gemini AI chatbot, which seems to have a generative AI component. One of the most noteworthy aspects of this discovery is that it marks an unusual development in the evolution of mobile threat evolution, as a tool that was intended to assist users with problems has been repurposed to initiate malicious software through the user interface of a victim's device. In real time, the malware analyzes on-screen activity and generates contextual instructions based on it, demonstrating that modern AI systems can serve as tactical enablers in cyber intrusions. As a result of the adaptive nature of malicious applications, traditional automated scripts rarely achieve such levels of adaptability.  It has been concluded from further technical analysis that the malware, known as PromptSpy by ESET, combines a variety of established surveillance and control mechanisms with an innovative layer of artificial intelligence-assisted persistence.  When the program is installed on an affected device, a built-in virtual network computing module allows operators to view and control the compromised device remotely. While abusing Android's accessibility framework, this application obstructs users from attempting to remove the application, effectively interfering with user actions intended to terminate or uninstall it.  Additionally, malicious code can harvest lock-screen information, collect detailed device identifiers, take screenshots, and record extended screen activity as video while maintaining encrypted communications with its command-and-control system.  According to investigators, the campaign is primarily motivated by financial interests and has targeted heavily on Argentinian users so far, although linguistic artifacts within the code base indicate that the development most likely took place in a Chinese-speaking environment. However, PromptSpy is characterized by its unique implementation of Gemini as an operational aid that makes it uniquely unique.  A dynamic interpretation of the device interface is utilized by the malware, instead of relying on rigid automation scripts that simulate taps at predetermined coordinates, an approach that frequently fails across different versions or interface layouts of Android smartphones. It transmits a textual prompt along with an XML representation of the current screen layout to Gemini, thereby providing a structured map of the visible buttons, text labels, and interface elements to Gemini.  Once the chatbot has returned structured JSON instructions which indicate where interaction should take place, PromptSpy executes those instructions and repeats the process until the malicious application has successfully been anchored in the recent-apps list. This reduces the likelihood that the process may be dismissed by routine user gestures or management of the system.  ESET researchers noted that the malware was first observed in February 2026 and appears to have evolved from a previous strain known as VNCSpy. The operation is believed to selectively target regional victims while maintaining development infrastructure elsewhere by uploading samples from Hong Kong, before later variants surface in Argentina.  It is not distributed via official platforms such as Google Play; instead, victims are directed to a standalone website impersonating Chase Bank's branding by using identifiers such as "MorganArg." In addition, the final malware payload appears to be delivered via a related phishing application, thought to be originated by the same threat actor.  Even though the malicious software is not listed on the official Google Play store, analysts note that Google Play Protect can detect and block known versions of the threat after they are identified. This interaction loop involves the AI model interpreting the interface data and returning structured JSON responses that are utilized by the malware for operational guidance.  The responses specify both the actions that should be performed-such as simulated taps-as well as the exact interface element on which they should occur. By following these instructions, the malicious application is able to interact with system interfaces without direct user input, by utilizing Android's accessibility framework.  Repeating the process iteratively is necessary to secure the application's position within the recent apps list of the device, a state that greatly complicates efforts to initiate task management or routine gestures to terminate the process.  Gemini assumes the responsibility of interpreting the interface of the malware, thereby avoiding the fragility associated with fixed automation scripts. This allows the persistence routine to operate reliably across a variety of screen sizes, interface configurations, and Android builds. Once persistence is achieved, the operation's main objective becomes evident: establishing sustained remote access to the compromised device.  By deploying a virtual network computing component integrated with PromptSpy, attackers have access to a remote monitor and control of the victim's screen in real time via the VNC protocol, which connects to a hard-coded command-and-control endpoint and is controlled remotely by the attacker infrastructure.  Using this channel, the malware is able to retrieve operational information, such as the API key necessary to access Gemini, request screenshots on demand, or initiate continuous screen recording sessions. As part of this surveillance capability, we can also intercept highly sensitive information, such as lock-screen credentials, such as passwords and PINs, and record pattern-based unlock gestures.  The malware utilizes Android accessibility services to place invisible overlays across portions of the interface, which effectively prevents users from uninstalling or disabling the application. As a result of distribution analysis, it appears the campaign uses a multi-stage delivery infrastructure rather than an official application marketplace for delivery.  Despite never appearing on Google Play, the malware has been distributed through a dedicated website that distributes a preliminary dropper application instead. As soon as the dropper is installed, a secondary page appears hosted on another domain which mimics JPMorgan Chase's visual identity and identifies itself as MorganArg. Morgan Argentina appears to be the reference to the dropper.  In the interface, victims are instructed to provide permission for installing software from unknown sources. Thereafter, the dropper retrieves a configuration file from its server and quietly downloads it. According to the report, the file contains instructions and a download link for a second Android package delivered to the victim as if it were a routine application update based on Spanish-language prompts.  Researchers later discovered that the configuration server was no longer accessible, which left the specific distribution path of the payload unresolved. Clues in the malware’s code base provide additional insight into the campaign’s origin and targeting strategy. Linguistic artifacts, including debug strings written in simplified Chinese, suggest that Chinese-speaking operators maintained the development environment.  Furthermore, the cybersecurity infrastructure and phishing material used in the operation indicate an interest in Argentina, which further supports the assessment that the activity is not espionage-related but rather financially motivated. It is also noted that PromptSpy appears to be a result of the evolution of a previously discovered Android malware strain known as VNCSpy, the samples of which were first submitted from Hong Kong to VirusTotal only weeks before the new variant was identified. In addition to highlighting an immediate shift in the technical design of mobile threats, the discovery also indicates a broader shift. It is possible for attackers to automate interactions that would otherwise require extensive manual scripting and constant maintenance as operating systems change by outsourcing interface interpretation to a generative artificial intelligence system.  Using this approach, malware can respond dynamically to changes in interfaces, device models, and regional system configurations by changing its behavior accordingly. Additionally, PromptSpy's persistence technique complicates remediation, since invisible overlays can obstruct victims' ability to access the uninstall controls, thereby further complicating remediation.  In many cases, the only reliable way to remove the application is to restart the computer in Safe Mode, which temporarily disables third-party applications, allowing them to be removed without interruption. As security researchers have noted, PromptSpy's technique indicates that Android malware development is heading in a potentially troubling direction.  By feeding an image of the device interface to artificial intelligence and receiving precise interaction instructions in return, malicious software gains an unprecedented degree of adaptability and efficiency not seen in traditional mobile threats.  It is likely that as generative models become more deeply ingrained into consumer platforms, the same interpretive capabilities designed to assist users may be increasingly repurposed by threat actors who wish to automate complicated device interactions and maintain long-term control over compromised systems.  Security practitioners and everyday users alike should be reminded that defensive practices must evolve to meet the changing technological landscape. As a general rule, analysts recommend installing applications only from trusted marketplaces, carefully reviewing accessibility permission requests, and avoiding downloads that are initiated by unsolicited websites or update prompts.  The use of Android security updates and Google Play Protect can also reduce exposure to known threats as long as the protections remain active. Research indicates that, as tools such as Gemini are increasingly being used in malicious workflows, it signals an inflection point in mobile security, which may lead to a shift in both the offensive and defensive sides of the threat landscape as artificial intelligence becomes more prevalent.  It is likely that in order to combat the next phase of adaptive Android malware, the industry will have to strengthen detection models, improve behavioural monitoring, and tighten controls on high-risk permissions.

Google Responds After Reports of Android Malware Leveraging Gemini AI #AccessibilityServiceExploit #AIDrivenMalware #AndroidMalware

Full story:
www.technadu.com/redalert-tro...

How should governments and enterprises strengthen mobile defense posture in high-conflict environments?
#CyberSecurity #AndroidMalware #MobileThreats #SMSPhishing #ThreatIntelligence

RedAlert Trojan campaign uses SMS spoofing in Israel to push a fake emergency app.
Sideloaded APK steals GPS, contacts & SMS.
Evades Android verification via proxy hooks.
Mobile espionage amid conflict.

What’s your take on mobile defense readiness?
#CyberSecurity #AndroidMalware #InfoSec

Beware of Oblivion: A $300 Android RAT that covertly hijacks devices, intercepts SMS, logs keystrokes, and more. Stay vigilant! #CyberSecurity #AndroidMalware #OblivionRAT Link: thedailytechfeed.com/oblivion-and...

Alert: ResidentBat spyware linked to Belarusian KGB targets journalists via physical device access. Stay vigilant. #CyberSecurity #AndroidMalware #Privacy Link: thedailytechfeed.com/belarusian-k...

Beware of SURXRAT a new Android RAT compromising devices via social engineering. Protect your data by downloading apps only from trusted sources. #CyberSecurity #AndroidMalware #SURXRAT Link: thedailytechfeed.com/new-surxrat-...

AI अब मैलवेयर में भी इस्तेमाल हो रहा है।
PromptSpy Malware Android स्क्रीन डेटा चोरी कर Google Gemini से फोन कंट्रोल करता है।
ESET रिसर्च में खुलासा।
सुरक्षा के लिए Google Play Protect ऑन रखें और unknown apps से दूर रहें।
अधिक जानकारी के लिए 👇
www.tanatangyan.com/2026/02/prom...

#PromptSpy #AndroidMalware #AITech

Alert: 'PromptSpy' is the first Android malware using AI for advanced decision-making, marking a new era in mobile threats. Stay vigilant! #CyberSecurity #AndroidMalware #AIThreats Link: thedailytechfeed.com/promptspy-ma...

PromptSpy Abuses Gemini For Persistence
Read More: buff.ly/HjZfV8A

#PromptSpy #AndroidMalware #GeminiAI #MobileSecurity #AIenabledThreats #MalwarePersistence #ThreatResearch #Infosec

Beware of Massiv Android trojan disguised as IPTV apps, targeting mobile banking users with device takeover attacks. Stay vigilant! #CyberSecurity #AndroidMalware #MobileBanking Link: thedailytechfeed.com/new-android-...

Alert: New Android malware 'PromptSpy' uses AI to evade detection and persist on devices. Stay vigilant! #CyberSecurity #AndroidMalware #AIThreats Link: thedailytechfeed.com/ai-powered-a...

PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence possible victims because Android malware read more about PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence

PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence reconbee.com/promptspy-an...

#PromptSpymalware #androidmalware #malware #Geminiai #cyberattack

Beware of FvncBot! This new Android malware exploits Accessibility Services to hijack banking credentials. Stay safe by downloading apps only from official sources. #CyberSecurity #AndroidMalware #FvncBot Link: thedailytechfeed.com/new-android-...

Cybercriminals are sending fake RTO challan notifications via WhatsApp to deploy Android malware. Stay alert and verify traffic fines through official channels. #CyberSecurity #AndroidMalware #RTOChallan Link: thedailytechfeed.com/malware-masq...

Alert: Arsink RAT malware is infiltrating Android devices worldwide, disguising as popular apps to steal personal data. Stay vigilant! #CyberSecurity #AndroidMalware #ArsinkRAT Link: thedailytechfeed.com/arsink-rat-n...

Hugging Face abused to spread thousands of Android malware variants pretend that the target's device is compromised read more about Hugging Face abused to spread thousands of Android malware variants

Hugging Face abused to spread thousands of Android malware variants reconbee.com/hugging-face...

#huggingface #androidmalware #malware #android #cyberattack

Lumen Disrupts Aisuru–Kimwolf Botnet Powering Massive DDoS Attacks   Lumen Technologies’ Black Lotus Labs has successfully disrupted more than 550 command-and-control (C2) servers connected to the Aisuru and Kimwolf botnets, a large-scale malicious infrastructure widely used for distributed denial-of-service (DDoS) attacks and residential proxy abuse. Aisuru operates as a DDoS-for-hire platform and deliberately avoids targeting government and military entities. However, broadband service providers have borne the brunt of its activity, with attacks surpassing 1.5Tb/sec originating from compromised customer devices, causing severe service interruptions. Similar to other TurboMirai-based botnets, Aisuru includes enhanced DDoS capabilities alongside multifunctional features. These allow threat actors to engage in a range of illegal operations such as credential stuffing, AI-powered web scraping, spam campaigns, phishing attacks, and proxy services. The botnet launches assaults using UDP, TCP, and GRE flood techniques, leveraging medium-sized packets with randomized ports and flags. Traffic volumes exceeding 1Tb/sec from infected customer premises equipment (CPEs) have disrupted broadband networks, while packet floods surpassing 4 billion packets per second have led to router line card failures. Kimwolf, a recently identified Android-based botnet closely associated with Aisuru, has compromised more than 1.8 million devices and generated over 1.7 billion DDoS commands, according to cybersecurity firm XLab. Primarily targeting Android TV boxes, the Kimwolf botnet is built using the Android NDK and includes capabilities such as DDoS attacks, proxy forwarding, reverse shell access, and file management. To conceal its operations, it encrypts sensitive information using a simple Stack XOR method, employs DNS over TLS for communication obfuscation, and verifies C2 commands through elliptic curve digital signatures. Newer variants also use EtherHiding, leveraging blockchain-based domains to evade takedown efforts. Kimwolf variants follow a consistent naming convention of “niggabox + v[number],” with versions v4 and v5 currently observed in the wild. Researchers who seized control of a single C2 domain recorded interactions from approximately 2.7 million IP addresses within three days, reinforcing estimates that infections exceed 1.8 million devices. The botnet’s globally distributed infrastructure, multiple C2 servers, and varied versions make precise infection counts difficult. Although Kimwolf borrows elements from the Aisuru codebase, its operators significantly modified it to avoid detection. While traffic proxying is its primary function, the botnet is capable of executing large-scale DDoS campaigns. This was evident during a three-day window between November 19 and 22, when it issued 1.7 billion attack commands. Lumen observed daily bot traffic to Aisuru C2 servers rise sharply from 50,000 to 200,000 connections in September 2025. Upon validating the emergence of a new botnet, the company blocked the traffic and null-routed more than 550 C2 servers. By examining C2 infrastructure and residential proxy traffic, researchers traced links to Canadian IP addresses and shared this intelligence with law enforcement agencies. “The Canadian IPs in question were using SSH to access 194.46.59[.]169, which resolved to proxy-sdk.14emeliaterracewestroxburyma02132[.]su. In short order, we would learn that the Aisuru backend C2 we were tracking adopted the domain name client.14emeliaterracewestroxburyma02132[.]su, a similarity that further tied these servers together” reads the report published by Lumen. In early October, Black Lotus Labs detected infrastructure shifts signaling the rise of the Kimwolf botnet. Its growth was rapid, adding hundreds of thousands of infected devices within weeks, largely through exploitation of insecure residential proxy services. By mid-October, infections had reached approximately 800,000 devices, with the botnet actively scanning proxy networks to accelerate expansion. Black Lotus Labs initiated disruption efforts against Kimwolf in October by swiftly null-routing its C2 servers. While operators were able to reestablish operations within hours, Lumen persistently blocked new infrastructure as it surfaced. Through continuous monitoring, collaboration with industry partners, and integration of threat indicators into its security products, Lumen worked to reduce the botnet’s operational capacity over time. “To date, we have null-routed over 550 Aisuru/Kimwolf servers in 4 months as part of our efforts to combat this botnet, leading its operators to some distress, as noted in Xlabs’ post, showing the actors addressing Lumen with profanity in one DDoS payload” concludes the report.

Lumen Disrupts Aisuru–Kimwolf Botnet Powering Massive DDoS Attacks #Aisurubotnet #AndroidMalware #BlackLotusLabs

Full Article: www.technadu.com/new-devixor-...

How should Android users and financial institutions respond to this shift?
#AndroidMalware #BankingTrojan #Ransomware #MobileSecurity #CyberThreats

Beware of 'Ghost Tapped' malware exploiting NFC on Android devices to drain bank accounts. Stay vigilant and only download apps from trusted sources. #CyberSecurity #AndroidMalware #NFCExploit Link: thedailytechfeed.com/android-malw...

Unmasking "Wonderland" – The New Wave of Android Droppers & SMS Stealers In this episode of Upwardly Mobile, we dive deep into the evolving landscape of Android malware. We break down the emergence of Wonderland (formerly WretchedCat), a sophisticated SMS stealer targeting users in Uzbekistan through legitimate-looking "dropper" applications. We explore how threat actors, specifically the "TrickyWonders" group, are leveraging Telegram and malicious ad campaigns to bypass security checks and hijack devices. We also discuss the broader trend of Malware-as-a-Service (MaaS), including new threats like Cellik, Frogblight, and NexusRoute that are lowering the barrier to entry for cybercriminals globally. From real-time screen streaming to bypassing Google Play protections, we analyze the tactics defining modern mobile security threats. Key Topics Discussed: - The Rise of Droppers: How malware operators are shifting from "pure" Trojans to "droppers" (like MidnightDat and RoundRift) that appear harmless to evade detection before deploying payloads. - Wonderland's Capabilities: How this malware establishes bidirectional communication to intercept OTPs, steal contacts, and execute USSD requests. - The MaaS Economy: A look at the "Cellik" RAT, which offers one-click APK building to bundle malware inside legitimate apps, and "Frogblight," which targets users via fake court documents. - Government Impersonation: How "NexusRoute" is targeting users in India by mimicking government service portals to steal financial data and UPI PINs. - Defense Strategies: The importance of blocking unknown source installations and monitoring for suspicious SMS/USSD patterns. Sponsored By: This episode is brought to you by Approov. Stop mobile app abuse and API misuse. Ensure that the requests your API handles are from the genuine mobile app running on a safe mobile device. 👉 Visit our sponsor: https://approov.io/ Relevant Links & Source Materials: - The Hacker News: https://thehackernews.com/2025/12/android-malware-operations-merge.html - SC Media: https://www.scworld.com/brief/android-malware-wonderland-evolves-with-dropper-apps-targeting-uzbekistan - Cypro: https://www.cypro.se/2025/12/22/android-malware-operations-merge-droppers-sms-theft-and-rat-capabilities-at-scale/ Keywords: Android Malware, Wonderland, SMS Stealer, Dropper Apps, Mobile Security, Remote Access Trojan (RAT), TrickyWonders, Cybersecurity, One-Time Password (OTP) Theft, Malware-as-a-Service, Approov.     

📣 New Podcast! "Unmasking "Wonderland" – The New Wave of Android Droppers & SMS Stealers" on @Spreaker #androidmalware #approov #appsecurity #cybersecurity #infosec #mobilesecurity #technews #upwardlymobile #wonderlandmalware

Android Malware Combines Droppers SMS RAT
Read More: buff.ly/DiaisJT

#AndroidMalware #SMSStealer #MobileRAT #DropperMalware #MobileThreats #CredentialTheft #ThreatIntel #CyberCrime

Beware of Wonderland: A new Android malware targeting Central Asia, intercepting SMS and OTPs. Stay vigilant! #CyberSecurity #AndroidMalware #WonderlandThreat Link: thedailytechfeed.com/new-android-...

Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale Threat actors have been observed leveraging malicious dropper apps masquerading as legitimate applications to deliver an Android SMS stealer dubbed Wonderland in mobile attacks targeting users in Uzbekistan. "Previously, users received 'pure' Trojan APKs that acted as malware immediately upon installation," Group-IB said in an analysis published last week. "Now, adversaries increasingly deploy

iT4iNT SERVER Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale VDS VPS Cloud #AndroidMalware #CyberSecurity #MalwareAnalysis #SMSTheft #CyberThreats

Android Malware Operations Merge Droppers SMS Theft and RAT Capabilities at Scale Google Play or other types of media read more about Android Malware Operations Merge Droppers SMS Theft and RAT Capabilities at Scale

Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale reconbee.com/android-malw...

#androidmalware #malware #mergedroppers #SMStheft #RAT #remoteaccesstrojan