Researchers at Certo identified a spyware tool called KidsProtect, which presents itself as a parental monitoring app. This is a common disguise in the stalkerware space, where intrusive tracking features are marketed as safety tools.

But the reality is different. The platform is openly promoted in hacking communities with claims of stealth and stability, clearly targeting covert surveillance use rather than legitimate parental control.

Through a web dashboard, operators can monitor a device remotely with capabilities that go far beyond basic tracking. This includes listening to calls, accessing messages, tracking live location, and even capturing keystrokes—all without the victim’s knowledge.

Deep Device Control and Evasion Tactics

Once installed, the spyware runs silently in the background and gives attackers near-total visibility into the device.

Key functions include:

• Live microphone access and call recording
• Real-time GPS tracking
• Reading SMS and app messages (including WhatsApp and Telegram)
• Keystroke logging for capturing passwords
• Remote access to cameras
• Monitoring screen activity in real time

To achieve this level of control, the app abuses sensitive Android permissions such as access to location, microphone, camera, and storage. One of the most critical features it exploits is the Accessibility Service, which allows it to read screen content and interact with other apps—making real-time surveillance possible.

The spyware is also built to stay hidden and resist removal. It disguises itself as a system-like app (for example, “WiFi Service”), registers as a Device Administrator, and includes anti-uninstall protection. Even after a device restart, it automatically relaunches using a BootReceiver component.

Victims are often tricked into disabling built-in protections like Google Play Protect, allowing the malware to operate freely without interruption.

A Growing Threat Through White-Label Resale

What makes this platform especially dangerous is its white-label model. Buyers can rebrand the spyware, set their own pricing, and distribute it as if it were their own product. This turns malware into a scalable business model rather than a single tool.

With entry costs starting relatively low, even non-technical users can launch their own spyware operation. This lowers the barrier to entry and allows the ecosystem to grow quickly, even when authorities shut down known stalkerware providers.

The spyware operates under package names like com.example.parentguard and supports Android devices from version 7 onwards. It also allows unencrypted (cleartext) traffic, increasing the risk of data exposure.

Overall, this platform shows how stalkerware is evolving—from isolated tools into commercialized services that enable widespread surveillance with minimal effort.

The post Android Spyware Platform Enables Resale appeared first on First Hackers News.

Social Engineering and Delivery Tactics

The attack typically begins with direct contact. Victims are approached through platforms like LinkedIn, email, or messaging apps by accounts posing as journalists, support staff, or known contacts. These interactions are carefully crafted to build trust before introducing a malicious link.

The link is usually presented as something urgent or relevant, such as a video call request, shared document, or account alert. Once clicked, victims are redirected either to fake login pages or download portals.

Common tactics used:

• Impersonation of trusted individuals or organizations
• Spearphishing messages tailored to the target
• Fake login pages mimicking services like email or cloud platforms
• Malicious download links disguised as secure communication tools

This approach relies heavily on human trust rather than technical exploitation, making it highly effective even against cautious users.

Fake Apps and Spyware Capabilities

The core of the campaign is the use of fake Android applications that appear to be secure messaging tools. These apps are distributed through convincing websites that mimic official sources and offer “enhanced” or “pro” versions of popular platforms.

Once installed, the spyware operates silently in the background, collecting and transmitting sensitive data to attacker-controlled servers.

Key capabilities include:

• Access to contacts, messages, and call-related data
• Collection of device information and stored files
• Extraction of documents, media, and backup data
• Continuous communication with remote command servers

The malware is designed to blend in as a legitimate app, making detection difficult for users who install it outside official app stores.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Broader Implications

This campaign highlights a growing trend where attackers combine social engineering with mobile spyware to conduct surveillance operations. The targeting of civil society groups suggests a shift toward more personalized and contract-driven espionage activities.

It also reinforces a critical point: even advanced threats often rely on simple entry points — convincing a user to trust and install something that appears legitimate.

The post Fake Messaging Apps Used to Deliver ProSpy Spyware appeared first on First Hackers News.

Security researchers from Cyberthint found that ZeroDayRAT is being sold on Telegram as a Malware-as-a-Service (MaaS). This means even non-technical criminals can subscribe, access a web-based dashboard, and control infected devices remotely.

The infection usually starts with smishing messages — fake SMS alerts pretending to be service providers or app updates. Victims are tricked into installing a malicious Android APK or iOS payload. Once installed, the attacker gains full control through a browser-based control panel.

Through this dashboard, attackers can view device details, monitor messages, track GPS location, and even activate the microphone and camera. The malware also targets financial apps by using clipboard hijacking and fake login overlays to steal credentials. It can intercept OTP codes, allowing criminals to bypass two-factor authentication in real time.

ZeroDayRAT is sold in subscription tiers — $250 per day, $1000 per week, and $3500 per month — and transactions are reportedly handled through escrow services, indicating an organized criminal operation.

What Makes ZeroDayRAT Dangerous

• Real-time GPS tracking and live surveillance
• Remote camera and microphone activation
• Screen recording and keylogging
• Clipboard hijacking for cryptocurrency theft
• Fake login overlays for banking and payment apps
• OTP interception to bypass 2FA
• Easy-to-use browser control panel
• Sold as a subscription service on Telegram

Credibility Concerns

Security analysts say ZeroDayRAT appears to be a real threat, but some details raise questions. In one promotional screenshot, researchers noticed a browser tab labeled “Create USDT Wallet Address,” which looked staged or taken from demo material. This suggests that some features may be exaggerated for marketing.

Even so, the overall capability of the tool reflects a growing shift in cybercrime. Criminals can now rent advanced surveillance kits that were once limited to highly skilled actors. ZeroDayRAT joins other mobile-focused threats like Anatsa, Arsink, and NFCShare that target banking apps, crypto wallets, and everyday mobile behavior.

As mobile malware continues to evolve, users and organizations must stay cautious. Most infections still begin with simple smishing messages or fake app downloads — proving that even small actions can lead to serious compromise.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post ZeroDayRAT Turns Mobile Phones into Spy and Theft Tools appeared first on First Hackers News.

Since January 2024, over 280 malicious apps have targeted Korean users, using deceptive tactics like loading screens and redirects to conceal their data theft activities.

All about New Android Spyware

Malicious actors mainly target Korean mobile users through phishing campaigns, using tactics like impersonating trusted entities to trick victims into clicking malicious links.

When clicked, these links direct users to fake websites that mimic legitimate platforms, tricking them into downloading APK files disguised as harmless apps.

Once installed, these malicious APKs request excessive permissions, allowing them to steal sensitive data and carry out malicious activities in the background.

The malware steals sensitive data from the user’s device, like contacts, SMS messages, photos, and device information, and sends it to a remote server.

It also acts as a remote agent, receiving commands from the server to change settings or send SMS messages.

The investigation found a poorly secured command and control server, exposing victim data such as images and cryptocurrency wallet details, and allowing unauthorized access to index pages and admin panels, revealing the attacker’s operations.

Python and JavaScript were used to process stolen data, with OCR extracting info from images for financial exploitation.

The malware now uses WebSocket connections for real-time C2 communication, making detection harder. It also employs advanced obfuscation techniques like string encoding and code insertion to delay detection.

Targeting has expanded to the UK, showing efforts to broaden its reach.

McAfee reports that the malware, once disguised as loan or government apps, now exploits emotions by mimicking obituary notices, using OCR to analyze stolen data for financial gain.

Though not widespread, its impact grows as deceptive SMS messages are sent to victims’ contacts. Active URLs have been reported for removal. The presence of an “iPhone” item in the admin panel suggests a possible iOS variant, stressing caution on all platforms.

Users should avoid installing suspicious apps, be careful with permissions, securely store important data, and use security software.

Indicators of Compromise

IOC’s as per McAfee

SHA256 Hash(es):

• 5b634ac2eecc2bb83c0403edba30a42cc4b564a3b5f7777fe9dada3cd87fd761
• 4cf35835637e3a16da8e285c1b531b3f56e1cc1d8f6586a7e6d26dd333b89fcf
• 3d69eab1d8ce85d405c194b30ac9cc01f093a0d5a6098fe47e82ec99509f930d
• 789374c325b1c687c42c8a2ac64186c31755bfbdd2f247995d3aa2d4b6c1190a
• 34c2a314dcbb5230bf79e85beaf03c8cee1db2b784adf77237ec425a533ec634
• f7c4c6ecbad94af8638b0b350faff54cb7345cf06716797769c3c8da8babaaeb
• 94aea07f38e5dfe861c28d005d019edd69887bc30dcc3387b7ded76938827528
• 1d9afa23f9d2ab95e3c2aecbb6ce431980da50ab9dea0d7698799b177192c798
• 19060263a9d3401e6f537b5d9e6991af637e1acb5684dbb9e55d2d9de66450f2
• 0ca26d6ed1505712b454719cb062c7fbdc5ae626191112eb306240d705e9ed23
• d340829ed4fe3c5b9e0b998b8a1afda92ca257732266e3ca91ef4f4b4dc719f8
• 149bd232175659434bbeed9f12c8dd369d888b22afaf2faabc684c8ff2096f8c
• f9509e5e48744ccef5bfd805938bf900128af4e03aeb7ec21c1e5a78943c72e7
• 26d761fac1bd819a609654910bfe6537f42f646df5fc9a06a186bbf685eef05b
• 0e778b6d334e8d114e959227b4424efe5bc7ffe5e943c71bce8aa577e2ab7cdb
• 8bbcfe8555d61a9c033811892c563f250480ee6809856933121a3e475dd50c18
• 373e5a2ee916a13ff3fc192fb59dcd1d4e84567475311f05f83ad6d0313c1b3b
• 7d346bc965d45764a95c43e616658d487a042d4573b2fdae2be32a0b114ecee6
• 1bff1823805d95a517863854dd26bbeaa7f7f83c423454e9abd74612899c4484
• 020c51ca238439080ec12f7d4bc4ddbdcf79664428cd0fb5e7f75337eff11d8a

Domain(s):

• ahd.lat 
• allsdy999.org 
• etr.lat 
• gf79.org 
• goodapps.top 
• gov24.me 
• gov24.top 
• krgoodapp.top 
• krgov24.top 
• like1902.xyz 
• make69.info 
• messtube999.info 
• mtube888.info 
• mylove777.org 
• oktube999.info 
• top1114.online 
• ytube888.info 

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post New Android Spyware Posing as TV Streaming App Steals Data appeared first on First Hackers News.

Defenders can reduce risks through regular updates, lockdown mode, and mobile device management. International cooperation is key to controlling spyware’s spread as it continues to evolve.

Predator Spyware

Predator spyware, linked to Intellexa, has resurfaced after a lull. Despite sanctions, its infrastructure is active again, threatening privacy and security.

Operators of Predator spyware have adopted sophisticated techniques to better conceal their activities, making it increasingly difficult to track and attribute their attacks. This evolution highlights the ongoing challenges in countering advanced spyware threats.

Predator’s capabilities include remote device infiltration and data exfiltration, which allow governments and other entities to secretly monitor citizens and access sensitive information without their knowledge.

The spyware’s operators have further strengthened their infrastructure by incorporating a new layer of anonymization into their multi-tiered delivery system. This added layer complicates efforts to trace the spyware’s origins and monitor its usage, making it a more elusive and dangerous threat.

While attack methods like “one-click” and “zero-click” remain the same, Predator’s more complex infrastructure increases the risk to high-profile individuals. The spyware targets politicians, executives, journalists, and activists, with its high licensing cost suggesting use for strategic purposes.

The European Union is concerned about its misuse, as seen in investigations in Greece and Poland. To reduce the risk, individuals and organizations should focus on regular updates, device reboots, and lockdown mode.

MDM systems secure employee devices, and security training helps protect against social engineering. The spyware market is growing with new, advanced tools despite regulation efforts. Insikt Group’s investigation into Predator spyware has sparked calls for stricter regulations, but the spyware threat remains until global action is taken.

The post Predator Spyware leverages “one-click” and “zero-click” exploits appeared first on First Hackers News.

Meta Warns of 8 Spyware Companies

The findings were reported in Meta’s Adversarial Threat Report for the fourth quarter of 2023. The spyware targeted iOS, Android, and Windows devices, with capabilities to collect and access a wide range of data, including device information, location, photos and media, contacts, calendar, email, SMS, social media, messaging apps, and enable microphone, camera, and screenshot functionality, the company stated.

The eight companies identified are Cy4Gate/ELT Group, RCS Labs, IPS Intelligence, Variston IT, TrueL IT, Protect Electronic Systems, Negg Group, and Mollitiam Industries.

According to Meta, these firms were involved in scraping, social engineering, and phishing activities targeting various platforms, including Facebook, Instagram, Twitter, YouTube, Skype, GitHub, Reddit, Google, LinkedIn, Quora, Tumblr, VK, Flickr, TikTok, Snapchat, Gettr, Viber, Twitch, and Telegram.

A network of fictitious personas linked to RCS Labs, owned by Cy4Gate, reportedly deceived users into providing their phone numbers and email addresses, as well as clicking on bogus links for reconnaissance purposes.

In another instance, Facebook and Instagram accounts linked to Spanish spyware vendor Variston IT were utilized for exploit development and testing, including the dissemination of malicious links. Recent reports indicate that the company is in the process of shutting down its operations.

Meta also reported identifying accounts used by Negg Group to test the delivery of its spyware. Additionally, accounts associated with Mollitiam Industries, a Spanish firm advertising data collection services and spyware targeting Windows, macOS, and Android, were identified for scraping public information.

As countermeasures, the company has introduced new features such as enabling Control Flow Integrity (CFI) on Messenger for Android and implementing VoIP memory isolation for WhatsApp to increase the difficulty of exploitation and reduce the overall attack surface.

Despite these efforts, the surveillance industry continues to thrive in various unexpected forms. Last month, 404 Media, building on previous research from the Irish Council for Civil Liberties (ICCL) in November 2023, uncovered a surveillance tool called Patternz. This tool utilizes real-time bidding (RTB) advertising data gathered from popular apps like 9gag, Truecaller, and Kik to track mobile devices.

“Patternz enables national security agencies to leverage real-time and historical user advertising data to detect, monitor, and predict user actions, security threats, and anomalies based on users’ behavior, location patterns, and mobile usage characteristics, as claimed by ISA, the Israeli company behind the product.

Last week, Enea disclosed a previously unknown mobile network attack called MMS Fingerprint, purportedly used by Pegasus-maker NSO Group. This information was detailed in a 2015 contract between the company and the telecom regulator of Ghana.”

While the exact method remains somewhat mysterious, the Swedish telecom security firm suspects it likely involves the use of MM1_notification.REQ, a special type of SMS message known as a binary SMS that notifies the recipient device of an MMS waiting for retrieval from the Multimedia Messaging Service Center (MMSC).

The MMS is then fetched via MM1_retrieve.REQ and MM1_retrieve.RES, with the former being an HTTP GET request to the URL address contained in the MM1_notification.REQ message.

What’s notable about this approach is that user device information such as User-Agent (distinct from a web browser User-Agent string) and x-wap-profile is embedded in the GET request, effectively acting as a fingerprint.

“The (MMS) User-Agent is a string that typically identifies the OS and device,” Enea explained. “x-wap-profile points to a UAProf (User Agent Profile) file that describes the capabilities of a mobile handset.”

A threat actor seeking to deploy spyware could utilize this information to exploit specific vulnerabilities, tailor malicious payloads to the target device, or even craft more effective phishing campaigns. However, there is no evidence suggesting that this security vulnerability has been exploited in the wild in recent months.

The post Meta Warns of 8 Spyware Companies Targeting iOS, Android, and Windows Devices appeared first on First Hackers News.

According to Cisco Talos, this malware operates in a stealthy manner, surreptitiously gathering sensitive data from victims’ devices and deploying additional executable files.

Arid Viper hackers have been conducting attacks since 2017 and are associated with cyber activities aligned with the interests of Hamas. The cybersecurity firm reported that there is no evidence linking this campaign to the ongoing Israel-Hamas conflict.

The distribution of the spyware is believed to have started in April 2022.

Notably, the malware exhibits code similarities with a legitimate online dating app named Skipped. This suggests that the operators are either affiliated with the app’s developers or have attempted to replicate its features to deceive users.

Arid Viper hackers frequently employ seemingly genuine applications to distribute malware. They utilize counterfeit profiles on social media platforms to deceive potential targets into downloading these malicious apps, particularly Android spyware.

Cisco Talos has revealed a sprawling network of companies that are developing dating apps closely resembling or even identical to Skipped. These apps are expected to become available for download from the official Android and iOS app stores in the coming years.

Some of these apps include:

1. VIVIO – Chat, flirt & Dating (Available on the Apple App Store)
2. Meeted (formerly Joostly) – Flirt, Chat & Dating (Available on Apple App Store)
3. SKIPPED – Chat, Match & Dating (with 50,000 downloads on Google Play Store)
4. Joostly – Dating App! Singles (with 10,000 downloads on Google Play)

After installation, the Android spyware conceals itself on the target device, suppressing system and security notifications, including those with APK package names containing the term “security” on Samsung mobile devices and all Android phones.

The spyware requests various permissions, including recording audio and video, accessing contacts, call logs, reading SMS messages, changing Wi-Fi settings, terminating background apps, capturing photos, and generating system notifications.

The malware can collect system data, fetch an updated command-and-control (C2) domain from the current C2 server, and install additional hidden malware within seemingly legitimate apps like Facebook Messenger, Instagram, and WhatsApp.

Protection against spyware

To safeguard against Android spyware, install reliable antivirus software on your device. These tools can detect and eliminate spyware, preventing potential harm. Select a program from a reputable provider and keep it up to date for ongoing protection.

Additionally, ensure regular updates for your device, as these typically include security enhancements and address known vulnerabilities.

Furthermore, exercise caution when connecting to open Wi-Fi networks. Avoid accessing sensitive data, like banking information or passwords, on public Wi-Fi. If you must log in, employ a VPN to encrypt your connection and safeguard your personal information.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Arid Viper target Android users with spyware appeared first on First Hackers News.

SpyNote: Android spyware

F-Secure reports that the trojan in question is typically disseminated through SMS phishing campaigns, which entice users to unknowingly download spyware onto their devices by clicking a malicious link embedded within the message.

SpyNote gains access to call logs, camera, SMS messages, and external storage while concealing its presence from both the primary Android screen and the Recents screen, effectively making detection challenging.

“The SpyNote malware app, as noted by F-Secure researcher Amit Tambe, can be initiated through an external trigger. Subsequently, it initiates its core malicious activities. Most notably, it actively seeks accessibility permissions, aiming to acquire additional privileges, including audio and telephone call recording permissions, keystroke logging capabilities, and the ability to capture screenshots of the phone through the MediaProjection API.”

A detailed examination of the malware by F-Secure uncovered the existence of so-called “diehard services,” which create complications when attempting to terminate the spyware, whether it’s the victims or the operating system itself trying to do so.

“The SpyNote sample is spyware that captures and pilfers a range of information, encompassing keystrokes, call logs, data regarding installed applications, and more,” Tambe explained. “It lurks discreetly on the victim’s device, evading easy detection and rendering the uninstallation process exceptionally challenging.”

The victim will be forced to do restore factory settings, thus losing all its other data.

Spyware presents multiple hazards, and it is imperative to comprehend its implications and implement protective measures. Among the foremost concerns linked to spyware are the invasion of privacy and the risk of data breaches.

Spyware poses a significant threat to our privacy as it stealthily infiltrates our devices, potentially harvesting critical personal and financial data that can subsequently be exploited for further malicious activities.

Beyond the privacy concerns, spyware can result in more extensive data breaches, encompassing personal and financial information, confidential corporate data, and other sensitive content. When this data is exposed, it can trigger substantial financial losses, disrupt trust and transparency, and potentially jeopardize national security.

The post SpyNote: Android spyware records your calls appeared first on First Hackers News.

In the past, this malware was employed to target ethnic minorities in China. However, ESET reports a shift in focus, with attackers now aiming at users in countries including Ukraine, Poland, the Netherlands, Spain, Portugal, Germany, Hong Kong, and the United States.

BadBazaar spyware

The BadBazaar spyware boasts a range of capabilities, such as pinpointing the device’s precise location, pilfering files, recording calls and SMS messages, capturing phone conversations, acquiring photos from the camera, and absconding with contact lists, files, or databases.

The trojanized applications containing the BadBazaar malicious code were discovered by ESET researcher, Lukas Stefanko.

The Chinese team has introduced two apps named “Signal Plus Messenger” and “FlyGram,” which are modified versions of the popular open-source instant messaging apps Signal and Telegram.

Interestingly, hackers have established dedicated websites, “signalplus[.]org” and “flygram[.]org,” to enhance the legitimacy of these apps. These websites provide links for installing the apps either from Google Play or directly from the site.

According to ESET, the FlyGram app is designed to target sensitive data, including contact lists, call logs, Google accounts, and WiFi data. Additionally, it features a hazardous backup function that transmits Telegram communication data to a server under the control of the attackers.

Examination of the available data reveals that a minimum of 13,953 FlyGram users have activated the backup feature. Nevertheless, the precise user count for the spyware application remains unknown.

On the other hand, the Signal clone collects similar information, but focuses more on extracting information related to Signal, such as victim’s communications and the PIN protecting their account from unauthorized access.

However, the fake Signal app includes a feature that makes it attack more interesting as it allows the attacker to link a victim’s Signal accounts to devices controlled by them (the invaders). So they can see future messages.

Signal offers a QR-code-based feature enabling multiple devices to connect to a single account, allowing messages to be accessible from all connected devices.

Signal Plus Messenger with BadBazaar spyware exploits this feature by automatically linking its devices to victims’ Signal accounts, bypassing the QR-code process without their knowledge. This enables attackers to monitor all future messages sent from the Signal account.

The spyware discreetly establishes a connection between the victim’s smartphone and the attacker’s device, allowing the attacker to eavesdrop on Signal communications without the victim’s awareness.

ESET has reported that this method of spying on Signal has been employed previously, as it is the sole means of accessing the message content.

To determine if someone has accessed your Signal account, launch the official Signal app, navigate to Settings, and select “Linked Devices” to inspect and oversee all connected devices.

Mitigation

For Android users, it is strongly recommended to utilize the official Signal and Telegram versions to ensure their safety from potential risks.

Spyware infections can result in significant breaches of user privacy and security, underscoring the importance of prevention and early detection measures.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Chinese APT Uses Fake Messenger Apps to Spy on Android Users appeared first on First Hackers News.

SpinOk spyware?

Android.Spy.SpinOk module is designed to engage users with mini games, tasks, and alleged prizes, but it also contains spyware functionality. When initialized, the trojan SDK connects to a command and control (C&C) server and sends a request containing technical information about the infected device. This information includes data from sensors like the gyroscope and magnetometer, which can be used to detect emulator environments and adjust the module’s behavior to avoid detection by security researchers.

The module also ignores device proxy settings to hide network connections during analysis. In response, it receives a list of URLs from the server, which are opened in WebView to display advertising banners.

Capabilities of Trojan SDK

• obtain the list of files in specified directories,
• verify the presence of a specified file or a directory on the device,
• obtain a file from the device, and
• copy or substitute the clipboard contents.

Dr. Web claims that this SDK was found in 101 apps that were downloaded a total of 421.290.300 times from Google Play, with the most downloads listed below:

• Noizz (100,000,000 downloads)
• Zapya (100,000,000 downloads)
• VFly (50,000,000 downloads)
• MVBit (50,000,000 downloads)
• Biugo (50,000,000 downloads)
• Crazy Drop (10,000,000 downloads)
• Cashzine (10,000,000 downloads)
• Fizzo Novel (10,000,000 downloads)
• CashEM: Get Rewards (5,000,000 downloads)
• Tick: watch to earn (5,000,000 downloads)

It is recommended to uninstall the app immediately and scan your device.

How to stay safe from bad apps

1. Avoid Installing Apps From Unknown Sources

2. Avoid Third-Party App Stores

3. Cross-Check App Permissions With AppBrain

4. Review the App Listing Page

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Android apps with SpinOk spyware module installed over 421,000K times appeared first on First Hackers News.