Android malware
-
TrickMo Android banker adds TON blockchain for covert communications
A new TrickMo Android banking malware variant is targeting users in Europe and using the TON blockchain for covert command and control traffic, according to a technical analysis. The malware adds new network and tunneling commands and targets banking and crypto wallets.
-
ScarCruft pushes Android BirdCall spyware through game platform
APT37 has been distributing an Android version of its BirdCall backdoor through a gaming platform supply chain attack, according to ESET. The spyware can gather contacts, messages, device data, screenshots and files.
-
NGate malware campaign targets Brazil through trojanized HandyPay app
Researchers found a new NGate Android malware campaign targeting Brazil since around November 2025. The trojanized HandyPay app can relay NFC payment data, capture PINs and help thieves carry out fraudulent ATM withdrawals.
-
BeatBanker Android malware poses as Starlink app and hijacks devices in Brazil
BeatBanker is Android malware that combines a banking trojan and Monero miner, uses a fake Starlink Play Store page for delivery and a looping MP3 to stay active. Infections were recorded in Brazil.
-
Six Android malware families steal data and hijack payments, researchers find
Researchers found six Android malware families that steal data and enable financial fraud. The trojans use fake Play Store listings, accessibility abuse and screen overlays to hijack transfers including real time attacks on Brazil’s Pix system.
-
Android click-fraud trojans use TensorFlow.js to tap hidden browser ads
Android click-fraud trojans using TensorFlow.js analyze hidden WebView screenshots to tap ads. Infected apps were distributed through Xiaomi GetApps and third-party APK sites, causing battery drain and increased mobile data charges.
-
Lumma Stealer delivered through fake itch.io update links to Patreon
G DATA Security Lab found a campaign using spam comments on itch.io that linked to Patreon downloads of a nexe compiled executable which writes a native module and loads a LummaStealer payload. Samples include six anti analysis checks.
-
Jamf finds MacSync macOS stealer delivered in signed, notarized Swift installer
Jamf researchers found a MacSync macOS stealer variant delivered in a code-signed, notarized Swift installer inside a DMG that could bypass Gatekeeper; Apple revoked the signing certificate and analysis links the payload to the rebranded Mac.c infostealer with remote command-and-control capabilities.
-
Malicious npm WhatsApp API ‘lotusbail’ found stealing tokens and linking attacker devices
A malicious npm package named lotusbail, downloaded more than 56,000 times, masquerades as a WhatsApp API while capturing authentication tokens, messages and contacts and linking an attacker device to victims’ WhatsApp accounts, Koi Security researchers said; ReversingLabs also disclosed related NuGet supply-chain malware.
-
Iran-linked APT Infy resurfaces with updated Foudre and Tonnerre malware
SafeBreach and other researchers reported renewed activity by the Iranian APT known as Infy (Prince of Persia), documenting updated Foudre and Tonnerre malware, use of a domain generation algorithm for C2 resilience, and a Telegram-based channel in recent campaigns affecting targets in the Middle East, India, Canada and Europe.
