All news with #android tag

Google expands protections and tools to combat scams

🔒 Google is rolling out multiple new features to reduce scams across its services, including link warnings and navigation blocking in Google Messages when messages are flagged as spam. A Key Verifier QR option helps confirm end-to-end encrypted contacts on Android, while expanded recovery options — including Recovery Contacts and Sign in with Mobile Number — aim to simplify secure account recovery. Google also launched educational tools and partnerships to raise scam awareness.

Pixnapping: Pixel-by-pixel Android MFA code theft

🔍 A new side‑channel attack called Pixnapping allows a permissionless Android app to infer and reconstruct on‑screen pixels and steal sensitive content such as one‑time authentication codes, chat messages, and emails. The technique abuses Android intents and SurfaceFlinger compositing to isolate and enlarge individual pixels, then uses a GPU compression side channel to leak visual data. The proof‑of‑concept from a team of seven U.S. university researchers works on modern Pixel and Samsung devices and can extract 2FA codes in under 30 seconds; Google issued an initial mitigation (CVE‑2025‑48561) in September that was bypassed, and a broader fix is planned for December 2025, with Samsung committing to patches as well.

Pixnapping: Android GPU Side-Channel Steals 2FA Pixels

⚠️ Researchers have disclosed Pixnapping, a pixel-stealing side-channel that can extract 2FA codes, Maps timelines, and other sensitive UI contents from Android apps by abusing GPU compression together with Android's window-blur and intent mechanisms. The proof-of-concept captures codes in under 30 seconds on several Google and Samsung devices running Android 13–16 without requiring special manifest permissions. Google tracked the issue as CVE-2025-48561 (CVSS 5.5) and issued mitigations in the September 2025 Android Security Bulletin, but researchers say a workaround can re-enable the technique and that some app-list bypass behavior will not be fixed.

ClayRat Android spyware mimics popular apps to spread

📱 A new Android spyware campaign called ClayRat is tricking users by posing as well-known apps and services such as WhatsApp, Google Photos, TikTok, and YouTube and distributing APKs via Telegram channels and fraudulent websites. Researchers at Zimperium say they documented over 600 samples and 50 distinct droppers in three months, noting that some use a session-based installation and encrypted payloads to bypass Android defenses. Once installed, ClayRat can assume the default SMS handler, exfiltrate SMS and call logs, capture notifications and front-camera photos, make calls, send mass SMS for propagation, and communicate with C2 servers (recent versions use AES-GCM); Play Protect now blocks known variants.

ClayRat Android Spyware Uses Fake Apps to Spread in Russia

📱 A new Android spyware campaign known as ClayRat has been observed targeting users in Russia through fake app installers and Telegram channels. Operators impersonate popular apps such as WhatsApp, TikTok, Google Photos, and YouTube to trick victims into sideloading APKs or running lightweight droppers that reveal hidden encrypted payloads. Once active, the malware requests default SMS status and can exfiltrate SMS, call logs, notifications, device details, take photos, and even send messages or place calls while automatically propagating to contacts. Zimperium reports roughly 600 samples and 50 droppers detected in the last 90 days, with continuous obfuscation to evade defenses.

ClayRat Android Spyware Turns Phones Into SMS Hubs

🔔 A fast-evolving Android spyware campaign dubbed ClayRat has produced over 600 samples and 50 droppers in three months, researchers say. The malware is distributed via phishing sites and Telegram channels that impersonate popular apps like TikTok, YouTube and Google Photos to trick users into sideloading infected APKs. Once granted SMS privileges, ClayRat can read and send messages, harvest contacts and call logs, take front-camera photos, exfiltrate data to C2 servers, and automatically text malicious links to all contacts, turning each compromised device into a propagation hub.

ClayRat Android Spyware Campaign Targets Russian Users

🛡️Researchers at Zimperium zLabs have identified a rapidly evolving Android spyware campaign, dubbed ClayRat, targeting users in Russia via Telegram channels and phishing sites. The malware is distributed inside fake apps impersonating services such as WhatsApp, TikTok, Google Photos and YouTube, and operators are using fake reviews, download counts and step-by-step guides to trick victims. Once granted privileges, ClayRat can exfiltrate SMS, call logs and notifications, take front-camera photos, and even send messages or place calls while abusing Android's SMS handler role. Security firms report over 600 samples and coordinated disclosure to Google resulted in Play Protect protections.

Android spyware campaigns impersonate Signal and ToTok

🔒 Two newly identified Android spyware campaigns, dubbed ProSpy and ToSpy, impersonate Signal and ToTok to trick users into installing malicious APKs masquerading as a Signal encryption plugin or a Pro ToTok build. The malware requests standard messenger permissions and exfiltrates contacts, SMS, media, app lists and ToTok backups. ESET found distribution via cloned websites and noted persistence techniques to survive reboots. Users in the UAE appear to be targeted; download apps only from official stores or publishers and keep Play Protect enabled.

Android Spyware Posing as Signal Plugin and ToTok Pro

⚠️ Researchers at ESET have uncovered two Android spyware campaigns, ProSpy and ToSpy, that masquerade as a Signal encryption plugin and a ToTok Pro upgrade to target users in the U.A.E. Distributed via fake websites and social engineering, these apps require manual installation and request extensive permissions to persist and exfiltrate contacts, messages, media and device data. Users are advised to avoid installing apps from unofficial sources and to disable installations from unknown origins.

Android spyware targeting Signal and ToTok users in UAE

🔒 ESET researchers uncovered two previously undocumented Android spyware families—Android/Spy.ProSpy and Android/Spy.ToSpy—distributed via deceptive websites that impersonate Signal, ToTok and even app stores. Both families require manual APK installation from third‑party sites and maintain persistence while exfiltrating contacts, media, documents and chat backups. ToSpy notably seeks .ttkmbackup files and uses AES‑CBC encryption with a hardcoded key; several C&C servers remained active. Google Play Protect already blocks known variants, and ESET shared findings with Google.

Android malware uses VNC to give attackers hands-on access

🔒 Klopatra is a newly observed Android banking and remote access trojan distributed via a sideloaded dropper app called Modpro IP TV + VPN that has infected over 3,000 devices across Europe. The malware abuses Android Accessibility to capture inputs, exfiltrate clipboard content, simulate taps and gestures, and monitor screens. A concealed black‑screen VNC mode lets operators interact with devices and perform manual bank transactions while the device appears idle. Cleafy notes extensive anti-analysis protections, use of commercial packers, and active development since March 2025.

F-Droid: Google developer verification may end project

⚠️ F-Droid warns that Google’s planned Developer Verification rule — requiring identity verification for all developers on certified Android devices starting in 2026 — could effectively end the project and restrict access to many free, open-source apps. F-Droid, which builds reproducible packages, checks for trackers and allows anonymous downloading without accounts, says many open-source authors will refuse to register or pay fees and that F-Droid cannot seize app identifiers on their behalf. Google says sideloading will remain possible for verified developers, with exemptions for hobbyists and no change to Android Studio workflows.

Klopatra Android Banking Trojan Hits 3,000+ Devices

🔒 Cleafy has uncovered Klopatra, a previously undocumented Android banking trojan that has infected over 3,000 devices—predominantly in Spain and Italy. The malware leverages Hidden VNC for remote device control and dynamic overlays to harvest credentials, while integrating the commercial Virbox protection suite and native libraries to evade detection and analysis. Operators distribute Klopatra via social-engineered IPTV droppers, abuse Android accessibility permissions to persist and perform actions, and use a black-screen VNC mode and stolen PINs or patterns to unlock devices and execute rapid fraudulent transfers.

Google Removes 224 Android Apps in Large SlopAds Fraud

🚨 Researchers at HUMAN disrupted a global Android ad-fraud operation dubbed "SlopAds" that used 224 malicious apps on Google Play to generate roughly 2.3 billion ad bid requests per day. The apps, downloaded over 38 million times across 228 countries, used obfuscation and steganography to hide a malicious FatModule payload assembled from PNG images. The campaign used Firebase Remote Config and hidden WebViews to deliver continuous fraudulent ad impressions and clicks; Google has removed the identified apps and updated Google Play Protect to warn affected users.

SlopAds Ad-Fraud Ring Exploits 224 Android Apps Globally

🔍 A coordinated ad and click-fraud operation named SlopAds ran 224 Android apps that amassed roughly 38 million downloads across 228 countries, according to HUMAN's Satori Threat Intelligence and Research Team. The campaign generated up to 2.3 billion bid requests per day and primarily targeted traffic from the U.S., India, and Brazil. Google removed the offending apps from the Play Store after the investigation, which found sophisticated evasion tactics including steganography and conditional payloads.

Samsung fixes libimagecodec zero-day CVE-2025-21043

⚠️ Samsung released its monthly Android security update addressing a critical zero-day, CVE-2025-21043, a high-severity (CVSS 8.8) out-of-bounds write in libimagecodec.quram.so that can enable remote arbitrary code execution. The company says the flaw affects Android 13–16 and was privately disclosed on August 13, 2025. The affected library is a closed-source image parser from Quramsoft and the patch corrects an incorrect implementation. Samsung acknowledged an exploit exists in the wild but did not provide attack specifics.

Samsung patches actively exploited zero-day in image codec

🔒 Samsung has released a patch for a critical remote code execution vulnerability tracked as CVE-2025-21043 that was actively exploited on Android devices. Reported by Meta and WhatsApp security teams on August 13, the flaw stems from an out-of-bounds write in libimagecodec.quram.so, a closed-source Quramsoft image parser, and affects devices running Android 13 and later. Samsung’s advisory notes an exploit was observed in the wild and that other messaging apps using the vulnerable library could also be at risk; users should apply the September SMR update promptly.

Pixel 10 Adds C2PA Content Credentials and Trusted Imaging

📷 Google announced Pixel 10 phones will embed C2PA Content Credentials in every photo captured by the native Pixel Camera and display verification in Google Photos. The Pixel Camera app achieved Assurance Level 2 by combining Tensor G5, the certified Titan M2 security chip, and Android hardware-backed attestation. A privacy-first model uses anonymous enrollment, a strict no-logging policy, and a one-time certificate-per-image strategy to prevent linking. Pixel 10 also supports an on-device trusted timestamping mechanism so credentials remain verifiable offline.

RatOn Android RAT Evolves with NFC Relay and ATS Capabilities

🛡️ ThreatFabric has identified a new Android remote access trojan, RatOn, that combines NFC relay attacks with automated money-transfer (ATS) and overlay capabilities to target cryptocurrency wallets and conduct device fraud. Attackers distribute droppers via fake Play Store listings (masquerading as a TikTok 18+ app) aimed at Czech and Slovak users, then request accessibility and device-admin permissions. RatOn deploys a third-stage NFSkate module for Ghost Tap NFC relays, presents overlay or ransom-style screens, captures PINs and seed phrases, records keystrokes, and exfiltrates sensitive data to attacker servers to drain accounts.

Google fixes actively exploited Android flaws in September

🔒 Google has released the September 2025 Android security update addressing 84 vulnerabilities, including two zero-day flaws observed in limited, targeted exploitation: CVE-2025-38352 (Linux kernel) and CVE-2025-48543 (Android Runtime). The bulletin also patches four critical issues — including an RCE in the System component and three Qualcomm vulnerabilities affecting modem and data stacks. Users are urged to install security patch level 2025-09-01 or 2025-09-05 via Settings > System > Software updates > System update.