Android
-
GoldFactory modifies banking apps to spread Android remote-access trojans across Southeast Asia, Group-IB reports
Group-IB said GoldFactory has been distributing modified banking apps across Thailand, Vietnam and Indonesia to deploy Android remote-access trojans that abuse accessibility services, and researchers uncovered a pre-release variant called Gigaflower with advanced data-extraction features.
-
Google issues December Android security updates, patches 107 flaws including two exploited in the wild
Google released December 2025 Android security patches that fix 107 vulnerabilities across multiple components, including two Framework flaws reported as exploited in the wild; users and manufacturers are urged to apply the 2025-12-01 or 2025-12-05 updates.
-
New Android RAT ‘Albiriox’ marketed as MaaS targets banking and crypto apps
A new Android remote access trojan called Albiriox is being sold as malware‑as‑a‑service and targets more than 400 banking, payment and crypto apps using droppers, VNC‑based remote control, accessibility abuses and overlays to conduct on‑device fraud, researchers reported.
-
CISA warns of active spyware campaigns targeting messaging app users
CISA warned that threat actors are actively using commercial spyware and remote access trojans to compromise users of mobile messaging apps, citing multiple campaigns that used techniques such as zero‑click exploits, device‑linking QR codes and spoofed apps, and urged high‑value individuals to follow specific security guidance.
-
Researchers disclose Sturnus Android banking trojan that can capture messages and take over devices
Security researchers say a new Android banking trojan called Sturnus can capture decrypted messages from apps like WhatsApp, Telegram and Signal, present fake bank login screens, and allow remote control of infected devices; ThreatFabric reports the campaign so far is limited to Southern and Central Europe.
-
Researchers detail Android RAT ‘Fantasy Hub’ sold as Malware‑as‑a‑Service on Telegram
Security researchers and industry trackers say an Android remote access trojan named Fantasy Hub is being sold on Russian‑language Telegram channels as a Malware‑as‑a‑Service, offering device takeover, SMS interception, APK trojanising, and subscription pricing while mirroring features seen in other Android RATs and banking trojans.
-
North Korean-linked group used Google device service to wipe South Korean Android phones
South Korean researchers say the North Korean-linked KONNI group abused Google’s device-management features to remotely factory-reset Android phones, using stolen credentials harvested via phishing and RATs spread over KakaoTalk.
-
Researchers detail BankBot‑YNRK and DeliveryRAT Android trojans that steal credentials and payment data
Researchers say two Android trojans, BankBot‑YNRK and DeliveryRAT, have been observed harvesting credentials, payment and device data; reports from CYFIRMA and F6 detail targeted device checks, use of accessibility services, persistence mechanisms and distribution via fake apps and malware‑as‑a‑service.
-
Herodotus Android malware uses human-like typing delays to evade detection
Threat Fabric has identified Herodotus, an Android malware-as-a-service that uses randomized typing delays to mimic human input and evade timing-based detection, and is being distributed via SMS to users in Italy and Brazil.
-
Researchers describe “Pixnapping” Android side‑channel that can steal 2FA codes
A team of academic researchers disclosed “Pixnapping,” a side‑channel pixel‑stealing technique that can recover on‑screen data including two‑factor codes on Android by exploiting rendering APIs and graphical operations, and Google has issued patches under CVE‑2025‑48561 while some issues remain unpatched.
