CyberSecurityBoard
Sponsor Register Login

Threat Actors Combine Android Malware With Click Fraud Apps to Steal Login Credentials

Disguised as casual games, task-reward utilities, or even clones of legitimate Chrome or Facebook apps, the malware lures users away from Google Play to sideload rogue installers, a tactic that neatly sidesteps Google’s built-in vetting controls and capitalizes on social-engineering hooks such as “Get Free $5” or “Create Your Ad Campaign”. A fresh wave of malicious Android Package Kit (APK) files is weaving together two of cybercrime’s most reliable revenue streams—click-fraud advertising and credential theft—into a single, adaptable threat that has begun circulating across Southeast Asia, Latin America, and parts of Europe. By time the user notices anomalous battery drain or data spikes, both ad revenue and fresh credential sets have long since been exfiltrated through a fallback “crash-log” channel masquerading behind a seemingly innocuous sub-domain. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. On first run, it issues a beacon to 38.54.1.79:9086/#/entry, retrieves the AES-wrapped config, and only then activates ad-click automation or credential harvesting modules, significantly reducing the behavioral noise most sandboxes rely on for detection. Their telemetry shows that the same infrastructure fans out dozens of variant apps, each region-tuned to impersonate banks, telecoms, or betting platforms yet compiled from a common code base. Once the APK lands on a victim’s handset, the app immediately requests an excessive bouquet of permissions—camera, contacts, account management, and the ability to run foreground services—well beyond what any lightweight game or coupon app should need. Once executed, the app leverages the open-source ApkSignatureKillerEx framework to graft a secondary payload (origin.apk) into its own directory without invalidating the original signature, guaranteeing the OS treats it as a trustworthy upgrade. In the foreground, the app silently loads parked domains and affiliate funnels, simulating taps and scrolls to inflate ad-impression counts, a maneuver clearly displayed in the redirection chain. This dual-purpose architecture, analysts warn, lets operators monetize every infected device immediately while quietly harvesting data for resale or later account takeover. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 22 Jul 2025 10:20:12 +0000


Cyber News related to Threat Actors Combine Android Malware With Click Fraud Apps to Steal Login Credentials

Comprehensive Guide to Fraud Detection, Management, & Analysis - To mitigate risks, businesses can use risk management strategies, including fraud detection software, company policies, and staff ranging from risk managers and trust officers to fraud analysts. Affiliate Fraud - Affiliates in a marketing arrangement ...
1 year ago Securityboulevard.com
Deepfake Digital Identity Fraud Surges Tenfold, Sumsub Report Finds - Threat actors undertaking identity fraud have been using deepfakes ten times more in 2023 than in 2022, according to digital identity verification solutions provider Sumsub. In its third annual Identity Fraud Report, published on November 28, 2023, ...
1 year ago Infosecurity-magazine.com
Staying ahead of threat actors in the age of AI - At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified ...
1 year ago Microsoft.com Kimsuky
Malicious Android 'Vapor' apps on Google Play installed 60 million times - Although all of these apps have since been removed from Google Play, there's a significant risk that Vapor will return through new apps as the threat actors have already demonstrated the ability to bypass Google's review process. Bitdefender ...
4 months ago Bleepingcomputer.com
25 Best Managed Security Service Providers (MSSP) - 2025 - Pros & Cons: ProsConsStrong threat intelligence & expert SOCs.High pricing for SMBs.24/7 monitoring & rapid incident response.Complex UI and steep learning curve.Flexible, scalable, hybrid deployments.Limited visibility into endpoint ...
1 month ago Cybersecuritynews.com
New Wave of 'Anatsa' Banking Trojans Targets Android Users in Europe - The campaign has been ongoing for at least four months and is the latest salvo from the operators of the malware, which first surfaced in 2020 and has previously notched victims in the US, Italy, United Kingdom, France, Germany, and other countries. ...
1 year ago Darkreading.com
Google Online Security Blog: I/O 2024: What's new in Android security and privacy - As their tactics evolve in sophistication and scale, we continually adapt and enhance our advanced security features and AI-powered protections to help keep Android users safe. Today, we're announcing more new fraud and scam protection features ...
1 year ago Security.googleblog.com Cloak
How Banks Can Adapt to the Rising Threat of Financial Crime - To combat this, banks need to implement advanced AI-driven fraud monitoring and detection tools, enhance identity verification processes, and stay vigilant with continuous monitoring and staff training to recognize anomalies. While most banks ...
5 months ago Darkreading.com
PixPirate: The Brazilian financial malware you can't see, part one - The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan malware that heavily utilizes anti-research techniques. Within IBM Trusteer, we saw several different ...
1 year ago Securityintelligence.com
10 Key Things You Need to Know About the Sophisticated Vastflux Ad Fraud Scheme - At the end of April 2015, researchers from Distil Networks reported the discovery of a sophisticated ad fraud network, Vastflux, which had been around since at least January 2014. The network used sophisticated malware targeting both iOS and Android ...
2 years ago Securityweek.com
Identity Fraud Rises as E-Commerce, Payment Firms Targeted - An analysis of global customer data has highlighted a 20% increase in overall fraud incidents compared to last year, largely attributed to the surge in impersonation fraud and the accessibility of sophisticated attack methods and tools. The gaming, ...
1 year ago Securityboulevard.com
29 malware families target 1,800 banking apps worldwide - Mobile banking is outpacing online banking across all age groups due to its convenience and our desire to have those apps at our fingertips, according to Zimperium. This surge is accompanied by a dramatic growth in financial fraud. The research ...
1 year ago Helpnetsecurity.com
PixPirate: New Android Banking Trojan Targeting Brazilian Financial Institutions - A new Android banking trojan has set its eyes on Brazilian financial institutions to commit fraud by leveraging the PIX payments platform. Italian cybersecurity company Cleafy, which discovered the malware between the end of 2022 and the beginning of ...
2 years ago Thehackernews.com
Android 15, Google Play get new anti-malware and anti-fraud features - Today, Google announced new security features coming to Android 15 and Google Play that will help block scams, fraud, and malware apps on users' devices. Announced at Google I/O 2024, the new features are designed not only to help end users but also ...
1 year ago Bleepingcomputer.com
Operation Morpheus took down 593 Cobalt Strike servers used by threat actors - Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. Experts released PoC exploit code for a critical bug in Progress Telerik Report Servers. Threat actors may have exploited a zero-day in older iPhones, Apple warns. Nation-state ...
1 year ago Securityaffairs.com CVE-2024-0769 CVE-2022-38028 CVE-2023-49103 CVE-2023-46747 CVE-2023-46748 CVE-2023-4966 APT28
5 Fraud Prevention Strategies That Help Companies Ward Off Cyber Attacks - According to PwC's 2022 survey, over half of companies experienced fraud in the past two years, the highest in 20 years of research. From cyber-attacks to wire fraud to dishonest employees, there's no shortage of threats that aim to profit off your ...
1 year ago Hackread.com
February 2024's Most Wanted Malware: WordPress Websites Targeted by Fresh FakeUpdates Campaign - Our latest Global Threat Index for February 2024 saw researchers uncover a fresh FakeUpdates campaign compromising WordPress websites. These sites were infected using hacked wp-admin administrator accounts, with the malware adapting its tactics to ...
1 year ago Blog.checkpoint.com
Data Insecurity: Experts Sound the Alarm on 4 Apps Putting User Privacy at Risk - Even though many of us rely on apps to entertain us, guide us, manage our exercise, and connect with family and friends, they are notoriously hard to trust. In an age when technology is constantly evolving, it is almost impossible to tell if a ...
1 year ago Cysecurity.news
Over 90 malicious Android apps with 5.5M installs found on Google Play - Over 90 malicious Android apps were found installed over 5.5 million times through Google Play to deliver malware and adware, with the Anatsa banking trojan seeing a recent surge in activity. Anatsa is a banking trojan that targets over 650 ...
1 year ago Bleepingcomputer.com
FjordPhantom Android malware uses virtualization to evade detection - A new Android malware named FjordPhantom has been discovered using virtualization to run malicious code in a container and evade detection. The malware was discovered by Promon, whose analysts report that it currently spreads via emails, SMS, and ...
1 year ago Bleepingcomputer.com
New Xamalicious Android malware installed 330k times on Google Play - A previously unknown Android backdoor named 'Xamalicious' has infected approximately 338,300 devices via malicious apps on Google Play, Android's official app store. McAfee, a member of the App Defense Alliance, discovered 14 infected apps on Google ...
1 year ago Bleepingcomputer.com
ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store - On Android devices, one of the apps analyzed by researchers has more than 100,000 downloads, tracks, and shares location data with ByteDance and Amazon, etc. ChatGPT, the AI software, has already taken the Internet by storm, and that is why ...
2 years ago Hackread.com Everest
Fighting the Next Generation of Fraud - In today's digital age, the landscape of fraud is evolving at an alarming pace. In 2022, 20-59-year-olds reported 63% of all fraud in the United States. Fraudsters have been quick to harness the potential of generative AI to perpetrate various ...
1 year ago Securityboulevard.com
Credentials are Still King: Leaked Credentials, Data Breaches and Dark Web Markets - Infostealers infect computers, steal all of the credentials saved in the browser along with active session cookies and other data, then export it back to command and control infrastructure before, in some cases, self-terminating. This article will ...
1 year ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)