Archive for author: makoadmin

Apple released a security update for iOS and iPadOS to patch multiple vulnerabilities, including one that could leak sensitive information when visiting a malicious website and one that allows an attacker to display false information in the address bar.

In total, 29 vulnerabilities were patched, most of them in WebKit, Apple’s web rendering engine that powers Safari and renders webpages in other apps.

The update is available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

To check if you’re using the latest software version, go to Settings > General > Software Update. You want to be on iOS 18.6 or iPadOS 18.6, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

Apple has also released updates for macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7, watchOS 11.6, and tvOS 18.6.

Technical details

Here we will discuss some of the vulnerabilities that Apple patched in this update.

CVE-2025-31229: A logic issue might disclose your passcode by the VoiceOver reading it aloud. VoiceOver is a gesture-based screen reader which allows people to use an iPhone even if they can’t see the screen.

CVE-2025-43217: Devices may fail to display the privacy indicators when apps access the microphone or camera, which could prevent users from being notified about this usage.

CVE-2025-43227: Visiting a specially crafted malicious website can expose your sensitive information; while Apple has not specified the exact types, data handled by the browser (for example, cookies, authentication tokens, browsing history, and other personal information), could be at risk.

CVE-2025-43228: Visiting a malicious website may lead to address bar spoofing. “Address bar spoofing” is when a website tricks your web browser into showing a fake or misleading website address (URL) in the address bar, at the top of your browser window, instead of the website you’re actually visiting. This means what you see in the address bar looks like a trustworthy site (for example, your bank or a popular service), but in reality, you’re on a different, potentially dangerous site controlled by an attacker.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

A few days after Tea Dating Advice discovered unauthorized access to one of its systems that leaked 72,000 user images, the popular mobile app faced a second issue involving a separate database, as a researcher reported to 404Media that they were able to access private conversations.

Tea Dating Advice, or just Tea for short, aims to provide a space for women to exchange information about men they know, have met, or dated in the past. The app seeks to provide a platform for people to share relevant information about, say, potentially abusive partners, and it claims to have more than 1.6 million users. After approving a new user, the system allows them to search for men by name, find people they know, and leave comments about them. Theoretically, men can’t access the app, so they have no recourse if they’re drowning in red flags and warnings on Tea.

The set of leaked images includes 13,000 selfies and photo IDs submitted for account verification including driver license photos, as well as 59,000 images from posts, comments, and direct messages.

While Tea acknowledged that a data breach occurred on a legacy data storage system, resulting in unauthorized access to a dataset from prior to February 2024, this is a completely different breach, and even worse for those involved. The researcher was able to see over a million private messages, stretching from early 2023 up until last week.

Kasra Rahjerdi, the researcher who flagged the issue, provided a database of more than 1.1 million messages to prove his findings. With the content of these messages at hand, it was trivial to find social media profiles, telephone numbers, and the real-world identities of most users.

They found messages from women discussing abortions, cheating partners, and other sensitive info.

One internet forum, 4chan, openly shared the images exposed in the first breach, but Rahjerdi informed only Tea and 404Media about his latest work, providing enough information to confirm their findings. But there is no way of knowing whether others used the same method to access Tea’s private messages.

Aside from how you might feel about the Tea app, its purpose, the users, and those intent on destroying it, the developers could have anticipated the scrutiny and attacks on their infrastructure. Leaks happen everywhere, but sensitive data should not be stored unencrypted. And, while Tea claims to donate 10% of it profits to the National Domestic Violence Hotline, the company still has a responsibility of safety (through cybersecurity) to its own users.

A Tea app spokesperson limited their statement to:

“We have engaged third-party cybersecurity experts and are working around the clock to secure our systems. At this time, we have implemented additional security measures and have fixed the data issue.”

Tea Dating Advice users will have to be vigilant since phishing attacks banking on these incidents might occur.

Protecting yourself after a data breach

While there are no indications that this database was found by cybercriminals before it was secured, it might have been. There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Insurance company Allianz Life was breached, exposing the data of most of its 1.4 million American customers.

According to Allianz, an attacker gained access to a third-party, cloud-based Customer Relationship Management (CRM) system through social engineering. The company filed a data breach notification with the Attorney General of the US state of Maine on Friday July 25, 2025.

The incident reportedly took place on July 16, 2025 and was discovered one day later. According to a spokesperson:

“The threat actor was able to obtain personally identifiable data related to the majority of Allianz Life’s customers, financial professionals, and select Allianz Life employees, using a social engineering technique.”

Although the company did not disclose an exact number of affected people, the Allianz Life has 1.4 million customers in the US. Its parent company, Allianz, has more than 125 million customers worldwide.

Allianz Life did not disclose the exact CRM system involved. However, in June, Google warned about a ransomware group that was specializing in voice phishing (vishing) campaigns that are specifically designed to compromise organizations’ Salesforce instances for large-scale data theft and extortion.

Google tracks this group as UNC6040, which the cybersecurity community commonly calls “The Com.” The group called Scattered Spider likely is the most well-known entity associated with The Com. Earlier this month we reported that Scattered Spider breached Australia’s largest airline Qantas by gaining access to a third-party platform, utilizing social engineering.

If Scattered Spider was indeed behind the Allianz data breach, they will extort the company by threatening to release the acquired data or sell it to the highest bidder.

The data breach notification indicates that Allianz plans to start informing affected consumers as of August 1, 2025.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

This week on the Lock and Code podcast…

For decades, digital rights activists, technologists, and cybersecurity experts have worried about what would happen if the US government secretly broke into people’s encrypted communications.

The weird thing, though, is that, in 2018, it already happened. Sort of.

US intelligence agencies, including the FBI and NSA, have long sought what is called a “backdoor” into the secure and private messages that are traded through platforms like WhatsApp, Signal, and Apple’s Messages. These applications all provide what is called “end-to-end encryption,” and while the technology guarantees confidentiality for journalists, human rights activists, political dissidents, and everyday people across the world, it also, according to the US government, provides cover for criminals.

But to access any single criminal or criminal suspect’s encrypted messages would require an entire reworking of the technology itself, opening up not just one person’s communications to surveillance, but everyone’s. This longstanding struggle is commonly referred to as The Crypto Wars, and it dates back to the 1950s during the Cold War, when the US government created export control regulations to protect encryption technology from reaching outside countries.

But several years ago, the high stakes in these Crypto Wars became somewhat theoretical, as the FBI gained access to the communications and whereabouts of hundreds of suspected criminals, and they did it without “breaking” any encryption whatsover.

It all happened with the help of Anom, a budding company behind an allegedly “secure” phone that promised users a bevy of secretive technological features, like end-to-end encrypted messaging, remote data wiping, secure storage vaults, and even voice scrambling. But, unbeknownst to Anom’s users, the entire company was a front for law enforcement. On Anom phones, every message, every photo, every piece of incriminating evidence, and every order to kill someone, was collected and delivered, in full view, to the FBI.

Today, on the Lock and Code podcast with host David Ruiz, we revisit a 2024 interview with 404 Media cofounder and investigative reporter Joseph Cox about the wild, true story of Anom. How did it work, was it “legal,” where did the FBI learn to run a tech startup, and why, amidst decades of debate, are some people ignoring the one real-life example of global forces successfully installing a backdoor into a company?

The public…and law enforcement, as well, [have] had to speculate about what a backdoor in a tech product would actually look like. Well, here’s the answer. This is literally what happens when there is a backdoor, and I find it crazy that not more people are paying attention to it.

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

A list of topics we covered in the week of July 21 to July 27 of 2025

Last week on Malwarebytes Labs:

• Steam games abused to deliver malware once again
• Watch out: Instagram users targeted in novel phishing campaign
• Age verification: Child protection or privacy risk?
• iPhone vs. Android: iPhone users more reckless, less protected online
• Introducing the smarter, more sophisticated Malwarebytes Trusted Advisor, your cybersecurity personal assistant
• AI-generated image watermarks can be easily removed, say researchers
• Proton launches Lumo, a privacy-focused AI chatbot
• Startup takes personal data stolen by malware and sells it on to other companies
• ‘Car crash victim’ calls mother for help and $15K bail money. But it’s an AI voice scam
• “Ring cameras hacked”? Amazon says no, users not so sure

ThreatDown blog

• ThreatDown Email × EDR—a force multiplier in protection

Stay safe!

A cybercriminal known as EncryptHub (aka Larva-208) has reportedly abused the online game platform Steam to distribute information stealers.

EncryptHub managed to sneak malicious files into the Chemia game files hosted on Steam. Chemia is an adventurous survival type of game that puts the player in a world ravaged by a catastrophic natural disaster… which is nothing compared to the real-world disasters that can be caused by information stealers.

Chemia has not been publicly released yet, but was available as an early access on Steam. Steam offers Early Access to certain games primarily as a development model that allows players to purchase and play games while they are still in progress, rather than waiting for a full official release. It helps developers to receive direct, ongoing feedback from the community which they can use to find bugs, balance gameplay, and improve features.

According to security researchers at the Proactive Defense Against Future Threats (PRODAFT), the initial compromise took place on July 22, 2025. EncryptHub added a Trojan downloader to the game files that runs alongside the actual application.

The downloader establishes persistence on the affected machine and distributes Fickle Stealer, HijackLoader, and Vidar.

Vidar is a Malware-as-a-Service information stealer which uses public networks such as social media, communication platforms—and Steam—as parts of its Command & Control infrastructure.

HijackLoader is a malware loader used by attackers to load additional malware (such as Trojans like Danabot or the RedLine stealer) onto infected computers.

The Fickle stealer is a relatively new information stealer which uses PowerShell scripts to bypass User Account Control (UAC) and can steal sensitive files, system information, browser-stored data, cryptocurrency wallet details, and more.

As we explained many times before, information stealers can turn your life upside down. Depending on what is stored on the infected device the consequences can range from financial damage to identity theft.

In another case of abuse of the Steam platform, we saw a cybercriminal use a sniper video game to distribute malware to unsuspecting gamers. But that criminal didn’t circulate the malicious demo on Steam directly. Instead, the game’s Steam page featured a link to the developer’s external website promoting a demo that turned out to be malware.

A month before that, a game called PirateFi was released on Steam, but turned out to be circulating malware amongst gamers.

With Steam’s huge userbase (over 100 million monthly active users), a compromised game can serve as a direct path for cybercriminals to get hold of valuable digital assets, direct financial information, and personal information.

How to stay safe

Some tips to help gamers stay clear of downloading malicious software:

• Do not act on direct messages and other unsolicited ways to try out some game. Random people asking you to download something should be treated as suspicious.
• Verify invitations from “friends” through a different channel, such as texting them directly or contacting them on another social media platform. This is because their current account may have been compromised.
• Make sure to run an up-to-date and active anti-malware solution on your computer.

If you have tried the Chemia game, run a full system anti-malware scan.

Indicators of compromise

Domains:

soft-gets[.]com

reaitek[.]com

safesurf.fastdomain-uoemathhvq.workers[.]dev

Fickle downloader hash:
ed076c27b420bfa66c251488b4121913fa461367a60c5fa32cee3953efcae32b

Fickle Stealer hash:

6fb7fd9763d6b269793c80bbc03a1be358390781af4b698fba1591cb8dbb8825

Vidar Stealer has:

2cd8c0e75cf76381f06dfe465a542e52eefa713b0bea2557763e0c0c45b21481

HijackLoader hashes:

9a733b2de84e2bf466287abd034b04b18c8c269535606e8f6403eee2a3b288c4

12935315254175719cbbaad0b213204ddebd4100ffc551d54f8cf39ced1be227

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A phishing campaign targeting Instagram users is doing the rounds. There are plenty of those around, but when we took a look at this particular email, it seemed a bit different to the normal phishing emails that point to scammy websites.

The email looked like this, which is very similar to the one Instagram sends if it wants you to confirm your identity:

“Hi {name}
Someone tried to log in to your Instagram account.
If this was you, please use the following code to confirm your identity:
231342
If this wasn’t you, please [Report this user] to secure your account.”

Instead of linking to a phishing website, which is most common with emails like this, both the “Report this user” and “Remove your email address” links are mailto: links. Clicking on a mailto: link opens your default email program with a pre-addressed message with the subject line “Report this user to secure your account” or “Remove your email address from this account” for the second link.

The email addresses in these links all had unsuspicious looking domains, made to look similar to legitimate ones. We call this technique of registering domain names “typosquatting.”

In the case we researched the email addresses were:

• prestige@vacasa[.]uk.com (typosquat of vacasa.com vacation rentals)
• ministry@syntec[.]uk.com (typosquat of syntechnologies.co.uk hardware provider)
• technique@pdftools[.]com.de (typosquat of pdf-tools.com software provider)
• service@boss[.]eu.com (several possibilities)
• threaten@famy[.]in.net (science news site, possibly compromised)
• difficulty@blackdiamond[.]com.se (known malicious domain)
• anticipation@salomonshoes[.]us.com (typosquat of salomon.com running shoes)

We sent an email to these addresses from a dummy account to see what happened. Unfortunately, most of them were dead in the water when our email reached them. However, we did find that a lot of the servers were hosted at the same IP address.

Research of the IP address showed that there were many more domains set up, likely with the same objective in mind.

Why mailto: links?

Many email filters look for links to malicious domains and new ones get added fairly quickly, so the domains and emails are only useful for one day (on average). Using mailto: links can therefore help attackers avoid automated flagging or URL reputation checks.

It also saves the cybercriminals work. They don’t need to set up a fake website, which in this case would be an Instagram clone, or all the back end infrastructure needed to harvest the credentials. All they need to do now is watch the email inbox and wait for victims.

Receiving an email validates that the email address the phishing mail was sent to is active and someone is using it. That opens the victim up for further attempts. By engaging in a conversation, attackers can directly request sensitive information in a less obvious way than with a phishing form, often through continued correspondence.

Victims may feel safer replying to an email than clicking on a suspicious link. The fear of instant repercussions is smaller when you’re sending an email than for visiting an unknown website.

Instagram phishing

In March, 2025, security awareness provider Phishing Tackle reported about a phishing campaign targeting Meta users, which aimed to steal access to Instagram business accounts. The scam used step-by-step instructions and fake chat support to trick users.

In that case, the scammers threatened users with a suspension of the account due to advertising violations, but it showed once more that influential Instagram accounts are an attractive target for phishers. They can use compromised accounts for other campaigns or sell the harvested credentials to other cybercriminals.

But even if you’re not a business or bedecked with followers, if someone compromises your Instagram account they can lock you out and then demand money to give you back the account. Sadly, many people feel forced to pay because they don’t want to lose years of photos and their associated memories.

How to avoid Instagram phishing

Since we can expect to see more phishing campaigns that use mailto: links, here are some tips to avoid falling victim to such a scam.

• As with regular links, scrutinize the destination of an email link. Even if the domain looks legitimate, your Instagram account isn’t secured by a shoe maker or vacation provider, or someone using a gmail address. The email address should be one that belongs to Instagram or Meta.
• Remember that legitimate companies will not ask you to mail them your account details, credentials, or other sensitive information.
• If there’s an urgency to respond to an email, take a pause before you do. This is a classic scammer trick to get you to act before you can think.
• Don’t reply if the warning looks suspicious in any way. Sending an email will tell the phishers that your email address is active, and it will be targeted even more.
• Do an online search about the email you received, in case others are posting about similar scams.
• Use Malwarebytes Scam Guard to assess the message. It will tell you whether it’s a scam or give you tips how you can find out if it isn’t sure.

With governments demanding actual age verification on websites with adult content, and platforms like social media and Roblox introducing restrictions based on a user’s age, the controversy about different types of age verification and their implications is growing.

Last week, Roblox announced new age estimation technology which, it says, should help to confirm users’ ages and unlock a feature called Trusted Connections for those aged 13 and older. Trusted Connections allows teens aged between 13 and 17 to add adult users (18+) they know in real life. It’s billed as an option to keep out predators, which is good. But the age estimation technology raises concerns and questions.

While Roblox didn’t release any details about how its new technology works, the age estimation processes we know are based on Artificial Intelligence (AI) tools that scan selfies or short videos and compare them to a database to estimate the user’s age. Needless to say, they are not always right and it opens up the system to deepfakes, and spoofing.

This kind of technology is more effective than asking the user to provide their birthday or check a box that they are over 18, but it’s not waterproof.

We see similar concerns when it comes to age verification for sites that host adult content. As of this Friday, websites operating in the UK with pornographic content must “robustly” age-check users.

The regulator, Ofcom, lists a number of allowed methods which all have their pros and cons:

Facial age estimation

Show your face, get a guess. You take a selfie or a short video, and an algorithm tries to figure out if you look over 18. The tech claims to keep data private, but facial scans are sensitive. And, as we pointed out, accuracy is far from perfect. If you’ve ever been asked to provide an ID in real life because you “look young,” you can expect a digital déjà vu.

Open banking

Banks know your age, so why not let them confirm it? Here, you allow the age-check service to peek at your bank account. No bank statements get handed over, just a yes/no to the question: “Is this customer an adult?” It’s easy, but convincing users to link their bank to a porn site might be a different story.

Digital identity services

This is the world of digital wallets for your ID. Think of it as carrying your driver’s license in your phone, but only showing the “over 18” part when needed. Sounds great and it is, but you’ll need yet another app in your digital life just to vouch for your adulthood everywhere you go.

Credit card age checks

Simple logic: you need to be 18+ to have a credit card, so showing a valid one counts as proof. The age-checker pings the payment processor to see if your card is legit. It’s quick and familiar, but not everyone over 18 has a credit card, so it’s not for everyone. Plus your purchase trail grows with every verification.

Email-based age estimation

Enter your email address. The system tries to deduce your age using records of that email in other “adult” places, like financial or utility services. Basically, you’re allowing digital snooping, and the effectiveness depends on your online life elsewhere having already tipped off your age somewhere along the line.

Mobile network operator checks

The system queries your phone provider to see if you have any age restrictions on your account. No parental controls? Looks like you’re an adult. Fast, but only as reliable as the information stored at your carrier, and not an option for users on pay-as-you-go or burner numbers.

Photo-ID matching

You upload your ID and a fresh selfie. The system checks if the faces and ages match up. Classic, effective, and widely used, but you’re giving away a lot of personal information, and trusting that it’ll be kept safe.

Privacy concerns

None of these options is perfect or without risk. Many of these options have privacy implications for the user, or as a commenter told BBC News:

“Sure, I will give out my sensitive information to some random, unproven company or… I will use a VPN. Difficult choice.”

A VPN is a popular option to circumvent regulations that only apply in certain countries or states. VPNs offer a secure connection when you’re using the internet and they have a variety of uses, but one is getting around blocks based on your location.

Work is being done on “double-anonymity” solutions, but implementation seems to be hard. Double anonymity basically separates the information of two providers from each other. The first provider (website asking for age confirmation) will only get the requester’s age and no other information. The second provider (the age verifier) will not receive information about the service or website the age verification is needed for.

In essence, the system answers only the question “Is this user of the required age?” to the site, and the third party never knows for what purpose or where this answer is used. This approach is becoming a regulatory standard in places like France to balance protecting minors online with adult users’ privacy.

We feel “double-anonymity” sounds a whole lot better than “age estimation.” But the real question is whether age verification is an effective method to protect children, or is it just another threat to our privacy?  Let us know your opinion in the comments.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

The smartphone wars have a winner, and it’s Android.

No, this isn’t about which device has the best camera, the snappiest processor, or the flashiest AI features—this is about which device owners are safer online, and in many ways, it is Android users who take the crown. According to a new analysis from Malwarebytes, when compared to iPhone users, Android users share less of their personal information for promotional deals, more frequently use security tools, and more regularly create and manage unique passwords for their many online accounts.

They also, it turns out, fall victim to fewer scams.

This is the latest investigation into research conducted earlier this year by Malwarebytes that surveyed 1,300 people over the age of 18 in the US, the UK, Austria, Germany, and Switzerland. In the original report released in June, Malwarebytes revealed how mobile scams have become a part of everyday life for most everyone across the globe—and how far too many individuals have essentially given up on trying to fight back.

Now, Malwarebytes can reveal how iPhone and Android users differ when scrolling, shopping, and sending messages online. This secondary analysis has controlled for age, meaning that, while iPhone users did tend skew younger in the original data set, the differences identified here are more directly attributed to device type.

Here are some of the key takeaways:

• Apple users are more likely to engage in risky behavior.
  • 47% of iPhone users purchased an item from an unknown source because it offered the best price, compared to 40% of Android users.
  • 41% of iPhone users sent a Direct Message (DM) on social media to a company or seller account to get a discount or discount code, compared to 33% of Android users.
• Apple users take fewer precautions online.
  • 21% of iPhone users said they use security software on their mobile phones, compared to 29% of Android users.
  • 35% of iPhone users choose unique passwords for their online accounts, compared to 41% of Android users.
• Apple users are more likely to be the victims of scams.
  • 53% of iPhone users have fallen victim to a scam compared to 48% of Android users.

Importantly, the behavioral splits here are largely device agnostic.

Android users are not scanning fewer QR codes and iPhone users are not failing to make unique passwords because their respective devices are somehow incapable. Instead, iPhone users are making worse decisions about buying things online and about staying safe from all types of cyberthreats—whether that includes phishing attempts, social engineering scams, or malware infections.

The reasons for this are complex and hard to identify, but Malwarebytes’ original research can provide a clue. Namely, iPhone users were slightly more likely than Android users (55% compared to 50%) to agree with the following statement:

“I trust the security measures on my mobile/phone to keep me safe.”

That trust could have an adverse effect, in that iPhone users do not feel the need to change their behavior when making online purchases, and they have less interest in (or may simply not know about) using additional cybersecurity measures, like antivirus.

Whatever the reasons, there is room for improvement. As explained by Mark Beare, general manager of consumer business for Malwarebytes, staying safe online today cannot rely on any single platform, device, or operating system.

“Devices and operating systems are just gateways to apps and websites, and it’s often those online spaces that present cyber risks,” Beare said. “When those websites or apps serve malicious or deceptive content, it’s up to the user to decide what’s real, what’s a scam, and where they should or shouldn’t click.”

Here is where iPhone users should most pay attention when using the internet.

Unsafe shopping

It’s getting harder to shop safely online.

For years, the cybersecurity industry warned people about the most obvious red flags when making a purchase or offering a donation online: Don’t click on unknown links, don’t share personal information, don’t send messages directly to strangers, and don’t scan QR codes that can lead to unknown locations. Behind all of these could lie malware, data theft, and even the slow start of a social engineering scam.

And yet, in the past few years, even legitimate businesses have asked everyday consumers to do these same, reckless things. Online stores ask that people send a Direct Message (DM) on social media for a discount code, or that they sign up their email or phone number for a promotional offer, or that they complete their payment by scanning a QR code, or that they track an upcoming delivery by clicking on a link sent via text.

Just because established businesses are leaning into these tactics does not make the tactics inherently safe, and unfortunately, iPhone users are pushing back the least.

According to Malwarebytes’ recent analysis, 63% of iPhone users signed up their phone number for text messages so they could get a coupon, discount, free trial, or other promotional offer, compared to the 55% of Android users who did the same. Similarly, 41% of iPhone users “sent a DM on social media to a company or seller account to get a discount or discount code,” compared to 33% of Android users.

Malwarebytes also found that 47% of iPhone users “purchased an item from an unknown website or supplier because it offered the best price,” compared to 40% of Android users.

In looking at the data, however, it is important to recognize that some of the behavior from iPhone users has been thrust upon them.

For example, 70% of iPhone users have “scanned a QR code to begin or complete a purchase.” Beginning in 2020, scanning a QR code became commonplace as restaurants across the world implemented several strategies to limit the spread of COVID-19. This practice isn’t the fault of iPhone users (or the 63% of Android users who have done the same), and they shouldn’t be “blamed” for what the world asked of them.

However, sharing a phone number, sending a DM to a stranger, and buying from unknown websites are decidedly not requirements today for making an online purchase. 

As Malwarebytes discussed on the Lock and Code podcast earlier this year, “data deals” in which consumers are asked to give up some of their privacy for a one-time discount are rarely, if ever, worth the cost. Separately, the most common start to a romance scam, job scam, or investment scam is through a DM sent on social media.

Though legitimate companies have co-opted these strategies to boost engagement and revenue, the public still have an opportunity to push back. If they do not, there is a real risk that these marketing tactics become so normalized that online scammers will find it easier to send malicious messages, disguise their intentions, and steal from innocent people.

Not so pro(active)

Ever since a devastatingly effective commercial was unveiled to the public some 20 years ago, there’s been a persistent belief that Apple devices are somehow impervious to viruses, malware, and all other nasty cyber infections.

The marketing ploy was wrong back then and it is still wrong today—Macs get plenty of viruses—but the damage is already done, and the consequences might be most visible in how iPhone users feel about traditional cybersecurity tools: In short, they don’t use them.

According to Malwarebytes’ new analysis, just 21% of iPhone users said they use security software on their mobile phone, compared to 29% of Android users. iPhone users were also less likely than Android users to use an ad blocker (19% of iPhone users compared to 27% of Android users).

The data gaps here are sometimes benign. The low use of “ad blockers,” in particular, should come as no surprise. These tools are mostly understood as add-ons for desktop and laptop versions of popular web browsers—such as Google Chrome, Microsoft Edge, and Mozilla Firefox. While many mobile browsers have ad blockers built in by default, this may not be known to the average user.

Also remember that, as smartphone ownership increases across the globe, so do the numbers on smartphone “dependency.” According to Pew Research Center, 15% of adults in the US only have a smartphone to connect to the internet, meaning, perhaps, that 15% of people simply cannot access the same security and privacy tools that are developed predominantly for computers.

That said, the justifications for iPhone users start to fade when looking at one last number.

Only 35% of iPhone users “choose unique and strong passwords for accounts,” compared to 41% of Android users. Creating strong, unique passwords for online accounts is foundational to staying safe online, and it has only been made easier and more accessible over time.

For users who cannot remember a unique password for every account (which is every person alive), password managers are available—some for free—to help create, store, and recall as many strong passwords as needed. For users who do not trust a third-party password manager (understandably so), Apple released its “Passwords” app on iOS 18 nearly one year ago, making password management easier by default. And for users who don’t trust password managers (of which there are many), the antiquated practice of physically writing usernames and passwords in a private journal isn’t that outlandish.

In short, there is little excuse for failing to create and use unique passwords for every online account, and that goes for Android users, too. The technology can be intimidating, but it’s worth the work.

Security for all

The measurably unsafe behavior of some iPhone users online comes with unfortunate, measurable consequences. The poor password hygiene, risky buying behavior, and limited antivirus protection are all paired with a higher overall rate of victimization—53% of iPhone users have fallen victim to a scam compared to 48% of Android users.

In the worst circumstances, these disparate rates could invite blame, but it’s the wrong conclusion to make. As any scam victim knows, the statistical analysis of victimization means absolutely nothing when you are personally trying to recover your money, your reputation, your private photos, and your sense of trust in the world around you.

Every person, no matter their device, should create unique passwords for individual accounts, use security products (which can also detect malicious websites and phishing schemes), and rely on friends and family when something doesn’t feel right online. And for those who want 24/7 guidance on strange messages, phone numbers, and more, there is always Malwarebytes Scam Guard to lead the way. Try it today.

You ever get that feeling when you double-check the locks, but still wonder if you’ve missed something? That’s what a lot of people feel about cybersecurity.  

That’s where Malwarebytes Trusted Advisor comes in. You can see it as your very own cybersecurity personal assistant, giving you real-time insight into how protected you are, without all the jargon or notifications.  

Trusted Advisor checks the state of your cybersecurity tools like real-time protection, VPN connection, scheduled scans, and browser safety, and gives you a clear, color-coded view of your current risk level. 

And now, our Windows version is sharper, smarter, and more helpful than ever. 

What’s new? 

• Stronger Wi-Fi protection*: Trusted Advisor now checks if your Wi-Fi network is connected to an open, unsecured network.

• Smarter security score: Your protection score is now more accurate and personalized, giving you clearer insights into your overall security health. 

• Seamless identity protection integration: Trusted Advisor now works hand-in-hand with our identity protection, making it easier to stay ahead of threats like data leaks and identity fraud. 

• Take control of ads*: Trusted Advisor now helps you disable Windows’ ad features, such as start menu suggestions and login screen ads, allowing you to enjoy a smoother Windows experience free from distractions.  

Cybersecurity sometimes feels like quantum physics, but it doesn’t have to. With its latest updates, Malwarebytes Trusted Advisor makes it easier than ever to understand what’s going on behind the scenes, and to take control of your digital safety without needing a degree in computer science.  

Want to see the new Trusted Advisor in action? Open Malwarebytes on Windows and check your protection dashboard.  

* Windows 11 only.