Android Malware and Spyware Campaigns Using Trusted Platforms and Social Engineering Lures
Two separate Android-focused threat operations were reported, both relying on social engineering to drive manual installation of malicious apps. Bitdefender documented a campaign that abuses Hugging Face as a trusted hosting/CDN distribution point for an Android credential-stealing payload targeting popular financial and payment services. Victims are lured into installing a dropper app named TrustBastion via scareware-style ads; after installation it displays a fake Google Play “mandatory update” flow, then contacts infrastructure associated with trustbastion[.]com which redirects to a Hugging Face dataset repository hosting the final APK. The actor used server-side polymorphism to generate new payload variants roughly every 15 minutes, resulting in thousands of variants and rapid repository churn (reported as >6,000 commits over ~29 days); after takedown, the operation reportedly resurfaced under a new name (“Premium Club”) with refreshed branding.
ESET separately identified an Android spyware campaign tracked as GhostChat that uses romance-scam tactics to target individuals in Pakistan. The malicious app is disguised as a chat/dating service but primarily functions as a surveillance tool; it presents “locked” female profiles with passcodes (hardcoded in the app) to create a sense of exclusivity, then routes victims into WhatsApp chats tied to Pakistani numbers likely controlled by the operator. The app was distributed via unofficial sources (not Google Play) and is blocked by Google Play Protect by default; ESET also linked the same actor to a broader surveillance effort including a ClickFix compromise chain and a WhatsApp device-linking attack, using websites impersonating Pakistani government organizations as lures.
Related Entities
Malware
Organizations
Affected Products
Sources
1 more from sources like help net security
Related Stories
Phishing and Smishing Campaigns Delivering Malware via Fake Apps and Trusted-Looking Lures
Multiple reports describe **social-engineering campaigns** that use trusted-looking lures (meeting invites, public-safety alerts, and official-looking documents) to drive victims to install malware or disclose credentials. Microsoft researchers reported a wave of **fake Zoom/Teams/Adobe update sites** reached via meeting-invite and document lures; the downloaded executables were signed with a **compromised EV code-signing certificate** (issued to *TrustConnect Software PTY LTD*) and acted as droppers for **remote monitoring and management (RMM) tools**, enabling persistent access. Separately, ClearSky described a suspected **Russian espionage** phishing operation targeting Ukraine that delivers a ZIP containing a Ukrainian-language border-crossing “permit” document, installing a loader (**BadPaw**) and a backdoor (**MeowMeow**) with file manipulation capabilities and sandbox/VM evasion; attribution was assessed as high confidence to a Russian state-aligned actor and low confidence to **APT28**. Mobile-focused lures were also reported: CloudSEK detailed **SMS phishing** targeting Israeli civilians with a trojanized **Red Alert** rocket-warning app, using a multi-stage loader chain to deploy spyware with **banking trojan** capabilities and exfiltrate **SMS, contacts, and location** to attacker infrastructure—raising concerns about surveillance and erosion of trust in official alerting. Other items in the set are either broader research or consumer-oriented scam advisories: a Zimperium write-up on the Android **“Massiv”** IPTV-app disguise highlights overlay-based banking fraud techniques, while Kaspersky’s mobile threat landscape report provides 2025 ecosystem statistics; two OnlineThreatAlerts posts describe generic **smishing** patterns (Amazon “refund” and flood-warning texts) without tying to a specific, evidenced campaign or new technical findings.
1 weeks ago
Mobile and Web Fraud Campaigns Impersonating Public Services to Steal Data
Multiple active fraud and malware operations are abusing *trusted themes and brands* to compromise users, with a heavy emphasis on mobile-first delivery via social engineering. Zimperium reported a **targeted Android spyware** operation delivered through a fake “dating” app promoted via social media and messaging links; once installed, the app requests broad permissions (e.g., SMS, contacts, media) to enable **surveillance and data exfiltration** including messages, location, and credentials. Separately, Zimperium also described an Android campaign that **hides a RAT inside artifacts presented as legitimate AI/ML components** hosted on trusted framework infrastructure, enabling attackers to bypass basic screening and gain persistent device control (data theft, screen capture, remote command execution). In parallel, CybersecurityNews summarized two public-service impersonation campaigns tied to “traffic ticket” lures. In India, attackers are mimicking **RTO e-challan** notifications distributed via WhatsApp and other messaging platforms to push off-store Android apps that steal financial and personal data; the malware reportedly uses a **three-stage modular architecture**, dynamic remote configuration, anti-analysis, and a **custom VPN tunnel** to conceal C2 and exfiltration, while prompting victims for high-risk permissions and to disable battery optimization for persistence. In Canada, a separate operation uses **SEO poisoning** and SMS/ad lures to drive victims to **fake provincial traffic ticket payment portals** (e.g., BC, Ontario, Quebec) that harvest PII and payment card data; Unit 42 attributed the activity to a broader fraud network using a phishing kit with a “waiting room” feature and infrastructure spanning **70+ domains**, including concentration on the `45.156.87.0/24` netblock.
1 months ago
Mobile malware and phishing campaigns abuse AI branding and Android tooling to steal credentials and surveil victims
Multiple mobile-focused threats were reported spanning **Android banking malware**, **iOS credential-harvesting via App Store listings**, and **Android espionage via trojanized crisis apps**. A new Android banking trojan marketed as **Mirax Bot** was advertised on underground forums as a **Malware-as-a-Service (MaaS)** offering, with claimed capabilities including **700+ app injects**, **Hidden VNC (HVNC)** for stealthy remote control, and features positioned for **account takeover (ATO)** and large-scale financial fraud; researchers noted the feature list is based on seller claims and not yet independently verified. Separately, researchers described **PromptSpy**, characterized as an Android threat that uses **generative-AI techniques** to improve phishing and fraud by generating more convincing social-engineering content and automating deceptive interactions on-device. In parallel, a phishing operation targeted iPhone users by impersonating **ChatGPT** and **Google Gemini** in emails that directed victims to **fraudulent iOS apps hosted on Apple’s App Store**; the apps (including *GeminiAI Advertising* `id6759005662` and *Ads GPT* `id6759514534`) presented a fake **Facebook login** flow to harvest credentials. Another campaign, **RedAlert**, weaponized a trojanized version of Israel’s “Red Alert” emergency app distributed as `RedAlert.apk` via **SMS phishing (smishing)**, pushing victims to sideload the APK; analysis reported the app mimicked the legitimate interface while requesting high-risk permissions (e.g., **SMS**, contacts, precise **GPS**) consistent with covert surveillance and data theft. A separate Kaspersky post focused on consumer guidance for disabling AI assistants and broader privacy concerns, and does not materially add incident-specific threat intelligence to the mobile malware/phishing reporting.
1 weeks ago