The post The Tadashi Files: Inside the xlabs_v1 Botnet Targeting 4 Million Android Devices appeared first on Daily CyberSecurity.

Four Android banking malware campaigns are targeting more than 800 apps by abusing overlays, Accessibility permissions, and sideloaded fake apps to steal PINs.

The post Over 800 Android Apps Targeted in PIN-Stealing Trojan Campaign appeared first on TechRepublic.

Researchers have uncovered an Android malware framework dubbed the MiningDropper. Security researchers at Cyble Research and Intelligence Labs (CRIL) have identified a sharp increase in campaigns using MiningDropper, a modular platform capable of distributing multiple types of malicious payloads, including cryptocurrency miners, infostealers, Remote Access Trojans (RATs), and banking malware.   A notable aspect of this campaign is its abuse of the open-source Lumolight application, which has been repurposed as a trojanized entry point. 

A Modular Android Malware Framework at Scale

MiningDropper is not a conventional malware strain. Instead, it operates as a multi-stage delivery framework designed to evade detection and dynamically deploy payloads. Its architecture integrates XOR-based obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation techniques. These layers collectively delay analysis and reduce the likelihood of detection by traditional antivirus solutions.  Over 1,500 MiningDropper samples have been observed in the wild within a single month, with more than 50% showing minimal antivirus detection. Notably, around 668 samples registered only three antivirus detections, indicating widespread distribution with low visibility. 

Lumolight as the Initial Infection Vector 

A recent variant of MiningDropper uses a trojanized version of Lumolight as its initial payload. Victims unknowingly install this compromised application through phishing links, fraudulent websites, or social media campaigns. Once installed, the malicious application triggers a native library, “librequisitionerastomous.so”, which begins the execution chain. This native layer decrypts XOR-obfuscated strings at runtime and checks whether the app is running in an emulator or rooted environment. If such conditions are detected, the malware halts execution to avoid analysis. Otherwise, it proceeds to decrypt and load the first-stage payload from the app’s assets. 

Multi-Stage Payload Delivery Mechanism 

[caption id="" align="aligncenter" width="909"] MiningDropper attack chain (Source: Cyble)[/caption] MiningDropper’s infection chain unfolds across multiple stages: 

• Initial Stage: The native code decrypts an embedded asset using a hardcoded XOR key, producing a DEX file. This file is dynamically loaded using DexClassLoader and executes a bootstrap component. 
• First Stage: The bootstrap loader decrypts a second-stage payload using AES encryption. The AES key is derived from the SHA-1 hash of the file name, making it harder for analysts to extract static keys. 
• Second Stage: This stage presents a fake Google Play update interface, a social engineering tactic designed to maintain user trust. Behind the scenes, it decrypts additional payloads and configuration files. The malware can operate in two modes: a cryptocurrency miner or a user-defined malicious payload. 

Configuration files such as “norweyanlinkediting” (miner path) and “udela” (user payload path) dictate the behavior. These configurations include parameters like remote control capabilities, payload splits, and subscription timelines. 

• Third Stage: The malware extracts a ZIP archive containing further DEX files and native libraries. Acting as a split-APK installer, it reconstructs and installs the final payload based on the configuration. 

Campaigns Targeting Multiple Regions 

CRIL identified two primary campaign clusters leveraging MiningDropper: 

• Infostealer Campaign (India): This campaign targets Indian users by impersonating trusted entities such as Regional Transport Office (RTO) services, banks, telecom providers, and popular apps. In October 2025, a campaign using RTO-themed lures distributed malicious APK files that ultimately deployed infostealers to harvest sensitive financial and personal data. 
• BTMOB RAT Campaign (Global): Another campaign distributes MiningDropper across Europe, Latin America, and Asia. In this case, the final payload is BTMOB RAT, a powerful Android trojan first identified in February 2024 as a variant of SpySolr malware. It supports credential theft, real-time remote control, device takeover, and financial fraud operations. 

Interestingly, while BTMOB RAT was initially distributed without obfuscation and detected by multiple antivirus engines, its integration with MiningDropper has reduced detection rates to as low as one to three engines. 

Final Payload Capabilities 

The final payload delivered by MiningDropper depends on the configuration: 

• Infostealers: Extract sensitive data such as login credentials and financial information.
• RATs (e.g., BTMOB RAT): Enable full device compromise, including screen monitoring, file access, audio recording, and command execution via WebSocket-based communication.
• Banking Trojans: Facilitate financial fraud through credential harvesting and transaction manipulation. 
• Cryptocurrency Miners: Utilize device resources for unauthorized mining operations.

The malware also abuses Android Accessibility Services to gain extensive control over infected devices, allowing it to simulate user interactions and grant additional permissions. 

A Scalable Malware-as-a-Framework Model 

MiningDropper demonstrates a shift toward malware frameworks that prioritize scalability and adaptability. Its ability to switch between payloads using configuration changes, without altering the core architecture, makes it highly reusable across campaigns. This modularity enables threat actors to rapidly expand operations while maintaining low detection rates.  MiningDropper is more than just another Android malware strain. By combining advanced obfuscation, multi-stage execution, and the exploitation of legitimate projects like Lumolight, it represents a threat model capable of sustaining large-scale, global campaigns.

A flaw in the EngageLab SDK exposed 50 million Android users, allowing malicious apps to exploit trusted permissions and access sensitive data.

The post Microsoft: Third-Party Android Vulnerability Leaves Over 50M Users Exposed appeared first on TechRepublic.

NoVoice malware was found in 50 Android apps on Google Play, with 2.3 million downloads, by bypassing detection and targeting outdated devices.

The post Android Alert: 50 Google Play Apps Linked to ‘NoVoice’ Malware Reached 2.3M Downloads appeared first on TechRepublic.

A newly identified strain of Perseus Android malware is quietly infiltrating smartphones by disguising itself as television streaming apps, an approach that says a lot about where mobile threats are headed. According to researchers at ThreatFabric, this Android malware is not just another credential stealer. It is more invasive, more persistent, and far more aware of how people actually use their devices today. At a time when smartphones double as banking hubs, personal diaries, and authentication tools, the emergence of Perseus Android malware highlights a worrying shift: attackers are no longer just stealing passwords, they are studying users.

Perseus Android Malware Shows Evolution of Mobile Threats

The Perseus Android malware builds on older malware families like Cerberus and Phoenix, but it doesn’t simply replicate them, it refines them. This is part of a broader trend in Android malware, where attackers reuse proven codebases and add targeted enhancements rather than reinventing the wheel. This evolution matters. Instead of noisy, easily detectable attacks, modern mobile security threats are becoming quieter and more efficient. Perseus, for instance, leverages legitimate Android features like Accessibility Services to maintain control over infected devices. This allows it to operate in ways that mimic normal user behavior, making detection significantly harder. The result? A malware strain that blends in rather than stands out.

IPTV Apps Malware: A Familiar Trap with Higher Stakes

One of the most notable aspects of the Perseus Android malware is its distribution method. It hides inside IPTV apps, streaming applications that users often download outside official app stores. This is not accidental. IPTV apps are widely used and frequently sideloaded, especially in regions like Turkey and Italy, which are the primary targets of this campaign. Users are already conditioned to install these apps manually, lowering their guard in the process. This tactic reflects a growing pattern in IPTV apps malware campaigns. Instead of exploiting technical vulnerabilities, attackers exploit user behavior. It’s a subtle but effective shift—from hacking systems to manipulating habits.

Targeting Notes and Personal Data

What sets the Perseus Android malware apart from typical Android malware is its focus on personal notes. While most malware targets login credentials or banking data, Perseus goes a step further by scanning note-taking applications. This is a significant escalation. Notes often contain highly sensitive information, passwords, recovery phrases, financial details, and even private thoughts. By accessing this data, attackers gain context, not just credentials. The malware uses a command called “scan_notes” to systematically open note-taking apps and extract their contents without user interaction. This isn’t just data theft—it’s surveillance.

Full Device Takeover Through Advanced Remote Control

The Perseus Android malware also enables full device takeover using remote control capabilities. Through Accessibility-based sessions, attackers can monitor screens in near real time, capture user inputs, and even overlay fake interfaces to steal sensitive information. This combination of keylogging and overlay attacks makes it particularly dangerous for mobile banking data theft. Users may believe they are interacting with legitimate banking apps, while in reality, their inputs are being intercepted. In practical terms, this means attackers can not only access accounts but also initiate and authorize fraudulent transactions.

Strong Evasion Tactics Make Detection Harder

Another reason the Perseus Android malware is concerning is its ability to evade detection. It performs extensive environment checks to determine whether it is running on a real device or within an analysis environment. It looks for signs like:

• Presence of debugging tools
• Emulator characteristics
• Root access indicators
• Unrealistic hardware or battery data

If anything seems suspicious, the malware adjusts its behavior or remains dormant. This level of anti-analysis capability shows how far mobile security threats have evolved.

Perseus Android Malware Is a Sign of What’s Coming Next

The Perseus Android malware isn’t just another Android malware campaign—it’s a clear signal of how mobile threats are changing. This isn’t about mass infections anymore; it’s about smarter attacks that quietly blend into everyday app usage. What stands out is intent. From hiding inside IPTV apps to scanning personal notes and enabling full device control, Perseus Android malware shows that attackers are no longer satisfied with just stealing passwords. They want deeper access—context, behavior, and control. That shift should not be underestimated. When malware starts targeting how people actually use their phones, not just what they store, the risk becomes harder to spot and even harder to stop. For users, this reinforces a simple but often ignored reality: sideloading apps comes with real consequences. And for security teams, it’s another reminder that mobile threat detection needs to go beyond traditional indicators. Perseus Android malware may be built on older code, but its execution feels current—and that’s exactly why it matters.

BeatBanker Android malware spreads through fake Starlink apps on websites imitating Google Play Store, hijacking devices, stealing credentials, and mining crypto.

A new Android malware called BeatBanker spreads through fake Starlink apps distributed on websites posing as the Google Play Store. Once installed, it hijacks devices, steals login credentials, tampers with cryptocurrency transactions, and secretly mines Monero, combining banking trojan capabilities with crypto-mining.

The campaign mainly targets users in Brazil, spreading through phishing pages and sometimes via WhatsApp, allowing attackers to maintain long-term surveillance and remote control of compromised phones.

In newer attacks, operators replaced the banker component with a RAT and maintain persistence while communicating with mining pools.

The campaign starts with a phishing site that mimics the Google Play Store and distributes a fake “INSS Reembolso” app.

The malware impersonates the official service of Instituto Nacional do Seguro Social, tricking users into installing a trojanized APK disguised as a trusted government app.

“At various stages of the attack, BeatBanker disguises itself as a legitimate application on the Google Play Store and as the Play Store itself.” states the report published by Kaspersky.

The packed APK uses a native library to decrypt and load hidden malware directly in memory, helping it evade mobile antivirus detection. It also checks device details and blocks execution in analysis environments. The app then shows a fake update page resembling the Google Play Store to trick victims into installing additional malicious payloads and maintain persistence.

After victims tap Update on a fake Google Play Store screen, the malware downloads a cryptominer based on XMRig and connects to attacker-controlled mining pools. It uses Firebase Cloud Messaging as a as its command-and-control channel. Each message triggers checks on battery level, temperature, installation date, and user activity, allowing attackers to start or stop the hidden crypto miner and keep infected devices responsive to remote commands while monitoring key device conditions.

BeatBanker maintains persistence by running a foreground service that plays a silent audio loop to avoid shutdown. It also installs a banking trojan that abuses accessibility permissions to control the device, monitor browsers, and target crypto apps such as Binance and Trust Wallet.

“BeatBanker compromises the machine with a cryptocurrency miner and introduces another malicious APK that acts as a banking Trojan. This Trojan uses previously obtained permission to install an additional APK called INSS Reebolso, which is associated with the package com.destination.cosmetics.” continues the report.

When users attempt Tether transfers, the malware overlays fake screens and silently replaces the destination wallet address with one controlled by the attackers.

Kaspersky detected new BeatBanker samples spreading through a fake Starlink app. The malware keeps earlier persistence tricks such as looped audio and fixed notifications and still deploys a crypto miner. Instead of a banking trojan, however, it now installs BTMOB RAT, a highly obfuscated remote access tool.

BTMOB, linked to malware families like CraxsRAT and CypherRAT, operates as Malware-as-a-Service and provides full control over infected devices. It can grant permissions automatically, run persistently in the background, hide notifications, capture screen-lock credentials, log keystrokes, track GPS location, and access cameras.

“BeatBanker is an excellent example of how mobile threats are becoming more sophisticated and multi-layered. Initially focused in Brazil, this Trojan operates a dual campaign, acting as a Monero cryptocurrency miner, discreetly draining your device’s battery life while also stealing banking credentials and tampering with cryptocurrency transactions.” concludes the report that includes Indicators of Compromise (IoCs). “Moreover, the most recent version goes even further, substituting the banking module with a full-fledged BTMOB RAT.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BeatBanker Android malware)

A fake Android antivirus app called TrustBastion is spreading malware and stealing banking credentials. Here’s how it works and how to stay protected.

The post Fake ‘Antivirus’ App Spreads Android Malware, Steals Banking Credentials appeared first on TechRepublic.

Attackers exploited Hugging Face’s trusted infrastructure to spread an Android RAT, using fake security apps and thousands of malware variants.

The post Hugging Face Repositories Abused in New Android Malware Campaign appeared first on TechRepublic.

The Polish Computer Emergency Response Team (CERT Polska) analyzed a new Android-based malware that uses NFC technology to perform unauthorized ATM cash withdrawals and drain victims’ bank accounts.

Researchers found that the malware, called NGate, lets attackers withdraw cash from ATMs (Automated Teller Machines, or cash machines) using banking data exfiltrated from victims’ phones—without ever physically stealing the cards.

NFC is a wireless technology that allows devices such as smartphones, payment cards, and terminals to communicate when they’re very close together. So, instead of stealing your bank card, the attackers capture NFC (Near Field Communication) activity on a mobile phone infected with the NGate malware and forward that transaction data to devices at ATMs. In NGate’s case the stolen data is sent over the network to the attackers’ servers rather than being relayed purely by radio.

NFC comes in a few “flavors.” Some produce a static code—for example, the card that opens my apartment building door. That kind of signal can easily be copied to a device like my “Flipper Zero” so I can use that to open the door. But sophisticated contactless payment cards (like your Visa or Mastercard debit and credit cards) use dynamic codes. Each time you use the NFC, your card’s chip generates a unique, one-time code (often called a cryptogram or token) that cannot be reused and is different every time.

So, that’s what makes the NGate malware more sophisticated. It doesn’t simply grab a signal from your card. The phone must be infected, and the victim must be tricked into performing a tap-to-pay or card-verification action and entering their PIN. When that happens, the app captures all the necessary NFC transaction data exchanged — not just the card number, but the fresh one-time codes and other details generated in that moment.

The malware then instantly sends all that NFC data, including the PIN, to the attacker’s device. Because the codes are freshly generated and valid only for a short time, the attacker uses them immediately to imitate your card at an ATM; the accomplice at the ATM presents the captured data using a card-emulating device such as a phone, smartwatch, or custom hardware.

But, as you can imagine, being ready at an ATM when the data comes in takes planning—and social engineering.

First, attackers need to plant the malware on the victim’s device. Typically, they send phishing emails or SMS messages to potential victims. These often claim there is a security or technical issue with their bank account, trying to induce worry or urgency. Sometimes, they follow up with a phone call, pretending to be from the bank. These messages or calls direct victims to download a fake “banking” app from a non-official source, such as a direct link instead of Google Play.

Once installed, the app app asks for permissions and leads victims through fake “card verification” steps. The goal is to get victims to act quickly and trustingly—while an accomplice waits at an ATM to cash out.

How to stay safe

NGate only works if your phone is infected and you’re tricked into initiating a tap-to-pay action on the fake banking app and entering your PIN. So the best way to stay safe from this malware is keep your phone protected and stay vigilant to social engineering:

• Stick to trusted sources. Download apps only from Google Play, Apple’s App Store, or the official provider. Your bank will never ask you to use another source.
• Protect your devices. Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware.
• Do not engage with unsolicited callers. If someone claims to be from your bank, tell them you’ll call them back at the number you have on file.
• Ignore suspicious texts. Do not respond to or act upon unsolicited messages, no matter how harmless or urgent they seem.

Malwarebytes for Android detects these banking Trojans as Android/Trojan.Spy.NGate.C; Android/Trojan.Agent.SIB01022b454eH140; Android/Trojan.Agent.SIB01c84b1237H62; Android/Trojan.Spy.Generic.AUR9552b53bH2756 and Android/Trojan.Banker.AURf26adb59C19.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.