Mobile malware and phishing campaigns abuse AI branding and Android tooling to steal credentials and surveil victims
Multiple mobile-focused threats were reported spanning Android banking malware, iOS credential-harvesting via App Store listings, and Android espionage via trojanized crisis apps. A new Android banking trojan marketed as Mirax Bot was advertised on underground forums as a Malware-as-a-Service (MaaS) offering, with claimed capabilities including 700+ app injects, Hidden VNC (HVNC) for stealthy remote control, and features positioned for account takeover (ATO) and large-scale financial fraud; researchers noted the feature list is based on seller claims and not yet independently verified. Separately, researchers described PromptSpy, characterized as an Android threat that uses generative-AI techniques to improve phishing and fraud by generating more convincing social-engineering content and automating deceptive interactions on-device.
In parallel, a phishing operation targeted iPhone users by impersonating ChatGPT and Google Gemini in emails that directed victims to fraudulent iOS apps hosted on Apple’s App Store; the apps (including GeminiAI Advertising id6759005662 and Ads GPT id6759514534) presented a fake Facebook login flow to harvest credentials. Another campaign, RedAlert, weaponized a trojanized version of Israel’s “Red Alert” emergency app distributed as RedAlert.apk via SMS phishing (smishing), pushing victims to sideload the APK; analysis reported the app mimicked the legitimate interface while requesting high-risk permissions (e.g., SMS, contacts, precise GPS) consistent with covert surveillance and data theft. A separate Kaspersky post focused on consumer guidance for disabling AI assistants and broader privacy concerns, and does not materially add incident-specific threat intelligence to the mobile malware/phishing reporting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
SpiderLabs uncovers Android fake ChatGPT campaign via Firebase App Distribution
SpiderLabs identified an Android phishing campaign that used Google Firebase App Distribution invitation emails to deliver malicious APKs disguised as beta versions of ChatGPT and Meta advertising tools. The fake apps presented Facebook login pages to steal credentials, especially targeting business and advertising accounts, extending an earlier iOS-focused operation into Android.
SpiderLabs identifies fake ChatGPT and Gemini apps in Apple's App Store
SpiderLabs identified two fraudulent iOS apps, "GeminiAI Advertising" and "Ads GPT," on the Australian App Store that impersonated OpenAI's ChatGPT and Google's Gemini. The campaign used phishing emails to drive installs, then displayed fake Facebook login screens to steal credentials and send them to attacker-controlled infrastructure.
PromptSpy Android malware reported using generative AI for phishing
Researchers disclosed a new Android malware family dubbed PromptSpy and described it as the first Android threat observed using generative AI to improve phishing lures, deceptive interactions, and fraud workflows. The report highlighted how AI-assisted social engineering on mobile devices could increase the effectiveness of credential theft and follow-on compromise.
CloudSEK analyzes RedAlert trojanized rocket alert app campaign
CloudSEK analyzed a mobile espionage campaign dubbed RedAlert that used SMS phishing messages impersonating Israel's Home Front Command to distribute a fake Android emergency alert app outside Google Play. The trojanized app presented a convincing interface while requesting sensitive permissions and exfiltrating SMS, contacts, and location data to attacker infrastructure using a multi-stage infection chain with evasion techniques.
KrakenLabs flags Mirax Bot MaaS advertisement on underground forums
KrakenLabs reported identifying and flagging an underground forum advertisement for Mirax Bot, a newly promoted Android banking malware offered as a Malware-as-a-Service. The seller claimed features including HVNC access, hundreds of banking overlays, credential and OTP theft, and use of victim devices as residential proxies, though the capabilities were not independently verified.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Fake “ChatGPT” Apps Used to Deliver Mobile Malware
zimperium.com
Open sourceHackers Attacking Android Users With Fake ChatGPT Invites to Deploy Malware
cybersecuritynews.com
Open sourceNew Android Mirax Bot Advertised on Cybercriminal Forums Claiming Advanced Capabilities
cybersecuritynews.com
Open sourcePhishing Emails Push Fake ChatGPT and Gemini iOS Apps To Steal Logins
cybersecuritynews.com
Open sourcePromptSpy Shows How AI Can Amplify Mobile Phishing and Fraud Risks
zimperium.com
Open sourceRedAlert Mobile Espionage Campaign Targets Civilians with Trojanized Rocket Alert App for Surveillance
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mobile Threat Research Highlights iOS Exploit Framework and Emerging Android Trojan Campaigns
Security researchers reported a sophisticated iPhone exploitation framework dubbed **Coruna** that appears to have originated as a professionally developed, likely government-grade capability and later proliferated to foreign espionage and criminal actors. Analyses cited by Google’s Threat Intelligence Group and mobile security firm iVerify describe **five exploit chains** spanning **20+ vulnerabilities** affecting **iOS 13 through 17.2.1**, enabling delivery via malicious web content for device fingerprinting, remote code execution, and bypass of key iOS mitigations; the tool’s apparent usage trail includes alleged deployment by **Russian intelligence against Ukrainian targets** and subsequent adoption by a cybercrime group for cryptocurrency theft. Separate mobile-threat reporting detailed multiple **Android** campaigns and families emphasizing stealth, persistence, and credential theft. CloudSEK described a **RedAlert** trojanized app impersonating Israel’s Home Front Command alerting application, using a **multi-stage APK/DEX loader chain** (including an `assets/` payload) and UI mimicry while coercing high-risk permissions (e.g., Contacts, SMS, Location) and establishing C2. PolySwarm summarized **PromptSpy**, an Android RAT with VNC-based remote control that integrates **Google Gemini** to generate context-aware UI gesture instructions from screen XML dumps to improve persistence across device variants, distributed via a phishing site impersonating a bank portal and assessed as financially motivated (notably targeting Argentina). Zimperium separately profiled **ZeroDayRAT** as a modular Android spyware platform spread via social engineering and sideloading, supporting surveillance and financial theft (e.g., screen capture, keylogging, credential harvesting), underscoring continued escalation in mobile malware sophistication.
Mar 21, 2026
Phishing and Smishing Campaigns Delivering Malware via Fake Apps and Trusted-Looking Lures
Multiple reports describe **social-engineering campaigns** that use trusted-looking lures (meeting invites, public-safety alerts, and official-looking documents) to drive victims to install malware or disclose credentials. Microsoft researchers reported a wave of **fake Zoom/Teams/Adobe update sites** reached via meeting-invite and document lures; the downloaded executables were signed with a **compromised EV code-signing certificate** (issued to *TrustConnect Software PTY LTD*) and acted as droppers for **remote monitoring and management (RMM) tools**, enabling persistent access. Separately, ClearSky described a suspected **Russian espionage** phishing operation targeting Ukraine that delivers a ZIP containing a Ukrainian-language border-crossing “permit” document, installing a loader (**BadPaw**) and a backdoor (**MeowMeow**) with file manipulation capabilities and sandbox/VM evasion; attribution was assessed as high confidence to a Russian state-aligned actor and low confidence to **APT28**. Mobile-focused lures were also reported: CloudSEK detailed **SMS phishing** targeting Israeli civilians with a trojanized **Red Alert** rocket-warning app, using a multi-stage loader chain to deploy spyware with **banking trojan** capabilities and exfiltrate **SMS, contacts, and location** to attacker infrastructure—raising concerns about surveillance and erosion of trust in official alerting. Other items in the set are either broader research or consumer-oriented scam advisories: a Zimperium write-up on the Android **“Massiv”** IPTV-app disguise highlights overlay-based banking fraud techniques, while Kaspersky’s mobile threat landscape report provides 2025 ecosystem statistics; two OnlineThreatAlerts posts describe generic **smishing** patterns (Amazon “refund” and flood-warning texts) without tying to a specific, evidenced campaign or new technical findings.
Mar 21, 2026
Android Mobile Malware Campaigns Targeting SMS/OTP and Identity Data
Multiple reports highlight evolving **Android** threats that abuse SMS/telephony access and advanced evasion to enable fraud, surveillance, and account takeover. CloudSEK described a shift from repackaged apps to **runtime manipulation** using the *LSPosed* framework, where a malicious module (e.g., **Digital Lutera**) hooks `SmsManager` and `TelephonyManager` to undermine India’s **UPI SIM-binding** controls. The technique can intercept registration tokens and 2FA, spoof device identity/phone number, and exfiltrate data to **Telegram**; it also uses **Socket.IO** for real-time C2 and can remotely inject fabricated SMS entries into the device’s “Sent” database to make bank backends believe a SIM is present on a different device, enabling scalable payment fraud and account takeover. Separately, Acronis TRU (reported by Hackread) identified a **fake Red Alert** rocket-warning app distributed via SMS lures impersonating Israel’s Home Front Command; the trojanized app displays legitimate alerts to reduce suspicion while requesting extensive permissions to steal **GPS location**, **SMS/OTP**, contacts, installed-app inventory, and on-device account details, then exfiltrates data to a remote server, including via **certificate spoofing** and UI tricks to appear Play Store-installed. Zimperium reported a new Android RAT, **SurxRAT**, that can download and run **LLM modules** from third-party repositories to automate phishing and social engineering and to interact with apps/UI for credential theft and data exfiltration, reinforcing the need for behavior-based mobile detection, tighter app controls, and stronger integrity enforcement (e.g., *Play Integrity API* with `MEETS_STRONG_INTEGRITY`) where applicable.
Mar 21, 2026