Mobile malware and phishing campaigns abuse AI branding and Android tooling to steal credentials and surveil victims
Multiple mobile-focused threats were reported spanning Android banking malware, iOS credential-harvesting via App Store listings, and Android espionage via trojanized crisis apps. A new Android banking trojan marketed as Mirax Bot was advertised on underground forums as a Malware-as-a-Service (MaaS) offering, with claimed capabilities including 700+ app injects, Hidden VNC (HVNC) for stealthy remote control, and features positioned for account takeover (ATO) and large-scale financial fraud; researchers noted the feature list is based on seller claims and not yet independently verified. Separately, researchers described PromptSpy, characterized as an Android threat that uses generative-AI techniques to improve phishing and fraud by generating more convincing social-engineering content and automating deceptive interactions on-device.
In parallel, a phishing operation targeted iPhone users by impersonating ChatGPT and Google Gemini in emails that directed victims to fraudulent iOS apps hosted on Apple’s App Store; the apps (including GeminiAI Advertising id6759005662 and Ads GPT id6759514534) presented a fake Facebook login flow to harvest credentials. Another campaign, RedAlert, weaponized a trojanized version of Israel’s “Red Alert” emergency app distributed as RedAlert.apk via SMS phishing (smishing), pushing victims to sideload the APK; analysis reported the app mimicked the legitimate interface while requesting high-risk permissions (e.g., SMS, contacts, precise GPS) consistent with covert surveillance and data theft. A separate Kaspersky post focused on consumer guidance for disabling AI assistants and broader privacy concerns, and does not materially add incident-specific threat intelligence to the mobile malware/phishing reporting.
Sources
Related Stories
Mobile Threat Research Highlights iOS Exploit Framework and Emerging Android Trojan Campaigns
Security researchers reported a sophisticated iPhone exploitation framework dubbed **Coruna** that appears to have originated as a professionally developed, likely government-grade capability and later proliferated to foreign espionage and criminal actors. Analyses cited by Google’s Threat Intelligence Group and mobile security firm iVerify describe **five exploit chains** spanning **20+ vulnerabilities** affecting **iOS 13 through 17.2.1**, enabling delivery via malicious web content for device fingerprinting, remote code execution, and bypass of key iOS mitigations; the tool’s apparent usage trail includes alleged deployment by **Russian intelligence against Ukrainian targets** and subsequent adoption by a cybercrime group for cryptocurrency theft. Separate mobile-threat reporting detailed multiple **Android** campaigns and families emphasizing stealth, persistence, and credential theft. CloudSEK described a **RedAlert** trojanized app impersonating Israel’s Home Front Command alerting application, using a **multi-stage APK/DEX loader chain** (including an `assets/` payload) and UI mimicry while coercing high-risk permissions (e.g., Contacts, SMS, Location) and establishing C2. PolySwarm summarized **PromptSpy**, an Android RAT with VNC-based remote control that integrates **Google Gemini** to generate context-aware UI gesture instructions from screen XML dumps to improve persistence across device variants, distributed via a phishing site impersonating a bank portal and assessed as financially motivated (notably targeting Argentina). Zimperium separately profiled **ZeroDayRAT** as a modular Android spyware platform spread via social engineering and sideloading, supporting surveillance and financial theft (e.g., screen capture, keylogging, credential harvesting), underscoring continued escalation in mobile malware sophistication.
1 weeks ago
Phishing and Smishing Campaigns Delivering Malware via Fake Apps and Trusted-Looking Lures
Multiple reports describe **social-engineering campaigns** that use trusted-looking lures (meeting invites, public-safety alerts, and official-looking documents) to drive victims to install malware or disclose credentials. Microsoft researchers reported a wave of **fake Zoom/Teams/Adobe update sites** reached via meeting-invite and document lures; the downloaded executables were signed with a **compromised EV code-signing certificate** (issued to *TrustConnect Software PTY LTD*) and acted as droppers for **remote monitoring and management (RMM) tools**, enabling persistent access. Separately, ClearSky described a suspected **Russian espionage** phishing operation targeting Ukraine that delivers a ZIP containing a Ukrainian-language border-crossing “permit” document, installing a loader (**BadPaw**) and a backdoor (**MeowMeow**) with file manipulation capabilities and sandbox/VM evasion; attribution was assessed as high confidence to a Russian state-aligned actor and low confidence to **APT28**. Mobile-focused lures were also reported: CloudSEK detailed **SMS phishing** targeting Israeli civilians with a trojanized **Red Alert** rocket-warning app, using a multi-stage loader chain to deploy spyware with **banking trojan** capabilities and exfiltrate **SMS, contacts, and location** to attacker infrastructure—raising concerns about surveillance and erosion of trust in official alerting. Other items in the set are either broader research or consumer-oriented scam advisories: a Zimperium write-up on the Android **“Massiv”** IPTV-app disguise highlights overlay-based banking fraud techniques, while Kaspersky’s mobile threat landscape report provides 2025 ecosystem statistics; two OnlineThreatAlerts posts describe generic **smishing** patterns (Amazon “refund” and flood-warning texts) without tying to a specific, evidenced campaign or new technical findings.
1 weeks ago
Android Mobile Malware Campaigns Targeting SMS/OTP and Identity Data
Multiple reports highlight evolving **Android** threats that abuse SMS/telephony access and advanced evasion to enable fraud, surveillance, and account takeover. CloudSEK described a shift from repackaged apps to **runtime manipulation** using the *LSPosed* framework, where a malicious module (e.g., **Digital Lutera**) hooks `SmsManager` and `TelephonyManager` to undermine India’s **UPI SIM-binding** controls. The technique can intercept registration tokens and 2FA, spoof device identity/phone number, and exfiltrate data to **Telegram**; it also uses **Socket.IO** for real-time C2 and can remotely inject fabricated SMS entries into the device’s “Sent” database to make bank backends believe a SIM is present on a different device, enabling scalable payment fraud and account takeover. Separately, Acronis TRU (reported by Hackread) identified a **fake Red Alert** rocket-warning app distributed via SMS lures impersonating Israel’s Home Front Command; the trojanized app displays legitimate alerts to reduce suspicion while requesting extensive permissions to steal **GPS location**, **SMS/OTP**, contacts, installed-app inventory, and on-device account details, then exfiltrates data to a remote server, including via **certificate spoofing** and UI tricks to appear Play Store-installed. Zimperium reported a new Android RAT, **SurxRAT**, that can download and run **LLM modules** from third-party repositories to automate phishing and social engineering and to interact with apps/UI for credential theft and data exfiltration, reinforcing the need for behavior-based mobile detection, tighter app controls, and stronger integrity enforcement (e.g., *Play Integrity API* with `MEETS_STRONG_INTEGRITY`) where applicable.
1 weeks ago