IT NEWS

If an app markets itself as being for “child monitoring”, a customer might expect that their data and those of the person you’re monitoring is handled with the utmost care and respect. However, as we’ve seen many times before, stalkerware (which is what monitoring software is known as) apps have a tendency to be low quality and lack security.

Stalkerware refers to apps and other monitoring software that enable someone to secretly spy on another person’s private life via their mobile device or computer. Many stalkerware apps market themselves as parental monitoring tools, but they can be—and often are—used to stalk and spy on a person. Sadly, the most common users of stalkerware are domestic violence abusers, who load these programs onto their partner’s device without their knowledge.

To prove our point about lacking security, researcher Eric Daigle found that an Android app called Catwatchful has exposed the data of thousands of its customers, along with its administrator.

Catwatchful claims it is “invisible and cannot be detected”, and uploads the victim’s photos, messages, and real-time location data to a dashboard for the person monitoring to see. It also can remotely tap into audio recorded by the phone’s microphone, as well as access both front and rear phone cameras.

Make no mistake, this is nasty stuff.

And now it turns out that the data hasn’t been stored securely. The exposed database, which the researcher shared with TechCrunch, contained the phone data from 26,000 victims’ devices as well as the email addresses and plain text passwords of more than 62,000 customers.

Stalkerware apps continue to pose a serious threat to privacy and security. Over the past years, several cases have revealed how these apps not only violate victims’ privacy but also expose sensitive data due to poor security practices. Recent leaks revealed that apps like Spyzie, Cocospy, and Spyic exposed millions of victims’ private information, including messages, photos, and locations. The attackers also obtained the email addresses of more than three million customers. Because the flaw was so easy to exploit, researchers kept the details under wraps to prevent further damage. After the breach, these apps disappeared from the internet, likely trying to avoid legal consequences rather than fixing security.

Another case involved Spyhide, where a security researcher uncovered a decade of surveillance on tens of thousands of Android devices. The app’s poorly secured backend let attackers access call logs, messages, and location data from tens of thousands of victims.

The infamous mSpy monitoring app has suffered multiple leaks, with millions of records including personal documents and monitored activity exposed. Even high-profile users were found among its customers. Despite repeated breaches, mSpy’s security remains weak, putting victims at ongoing risk.

These cases highlight a harsh reality: Stalkerware companies put profits before privacy, leaving victims and users vulnerable to further harm. As these apps operate in legal grey areas, it’s important to stay alert about the dangers they bring.

Considering using a monitoring app?

If you are thinking about installing such an app, and you are reading this:

1. Don’t!
2. Remember that using an app like this without the person’s permission is illegal in almost every country, unless it’s done with consent of the government itself.
3. We have never heard of anyone who was able to solve a problem by using stalkerware. Usually resorting to stalkerware only makes it worse.
4. Consider the consequences of the person finding out what you did. The lack of security and repeated breaches of these apps demonstrate that it is a distinct possibility.
5. Listen to this podcast.

Malwarebytes, as one of the founding members of the Coalition Against Stalkerware makes it a priority to detect and remove stalkerware from your device. It is good to keep in mind however that by removing the stalkerware you will alert the person spying on you that you know the app is there.

Check your exposure

Unfortunately, breaches are an everyday occurrence. If you want to see how much of your personal data has been exposed online, Malwarebytes has a free tool that you can use to check. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

If you are looking for a way to remove stalkerware from your device, Malwarebytes Premium Security and Malwarebytes Mobile Security can help.

The “El Chapo” Mexican drug cartel snooped on FBI personnel through hacked cameras, and listened in on their phone calls to identify and kill potential witnesses, the US Department of Justice has said. And seven years on, the Bureau’s defenses against this kind of surveillance are still inadequate.

The findings came to light in a June 2025 report from the DoJ’s Inspector General. It identifies a threat that it calls ubiquitous technical surveillance (UTS), in which an attacker combines different kinds of data to build up a detailed profile of a subject. This links the subject to event, locations, and things.

The report highlights several ways in which bad actors can snoop on the FBI:

• Visual and physical imagery (for example, photographing people)
• Interception of electronic signals like phone calls
• Analysis of financial transaction data
• Checking travel bookings
• Monitoring their online presence

“Some within the FBI and partner agencies, such as the Central Intelligence agency (CIA), have described this threat as ‘existential’,” warned the report.

The document details just how damaging this type of surveillance can be. It explains that the Sinaloa drug cartel, operated by infamous drug lord Joaquín “El Chapo” Guzmán, had hired a black hat operator to target the FBI. The criminal offered “a menu of services related to exploiting mobile phones and other electronic devices”, said an informant who told the Bureau about it in 2018.

The black hat spied on people entering and leaving the US Embassy in Mexico City and identified people that the cartel would be interested in. These included the FBI Assistant Legal Attache (ALAT), the report explained. The document continues:

“Using the ALAT’s phone number the hacker was able to see calls made and received, as well as obtain the ALAT’s geolocation data. According to the FBI, in addition to compromising the ALAT’s phone, the hacker also accessed Mexico City’s camera system, used the cameras to follow the ALAT through the city, and identified people the ALAT met with. According to the case agent, the cartel used that information to intimidate and/or kill potential sources or cooperating witnesses.”

Much work still to do

Drug cartels are powerful organizations and it’s a scary thought that they’d be able to infiltrate an institution as hardened as the FBI. But the Bureau must surely have this in hand, right?

Not so fast. The Inspector General had already found some worrying shortcomings in the Bureau’s defenses against UTS, warning the FBI that it was “disjointed and inconsistent” in 2022. The Bureau responded by classifying UTS as a Tier 1 Enterprise Risk that year. It recruited a ‘red team’ of analysts to identify UTS vulnerabilities and suggest mitigating measures, but the gap analysis the team submitted was a single-page nothingburger, per the Inspector General’s report, and not adequate to protect the Bureau. It only covered three of six expected vulnerability categories.

The red team had been given a prior far more detailed analysis called ‘Anatomy of a Case’ by the Bureau’s Counterintelligence Division but didn’t include these findings. The FBI later said that this was just an outline and is now going back over the two documents.

The Bureau has also proposed a strategic plan to handle UTS, but an early outline of that strategy doesn’t identify who has the authority to run it. “We are also concerned that the forthcoming strategy will not adequately create clear lines of authority when the FBI must respond to UTS-related security incidents,” the report said, adding that the plan’s measures “do not provide a sufficiently clear, actionable long-term approach to address the UTS threat.”

The US had captured and imprisoned Guzmán several times but he kept escaping. Authorities recaptured him in 2016 and extradited him to the US the following year. He was sentenced to life imprisonment in 2019.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Microsoft, DocuSign, Adobe, McAfee, NortonLifeLock, PayPal, and Best Buy’s Geek Squad are being impersonated online through malicious emails that contain fake telephone support numbers and dangerous QR codes that can ensnare victims into phishing scams.

The brands and their products are frequently relied upon for everyday administration, like sending emails, obtaining signatures, viewing documents, receiving payments, and even getting tech help, emphasizing the threat these phishing campaigns have to small business owners and their shops.

This latest suite of phishing attacks was observed by researchers at Cisco Talos, who discovered that, between May and June, the most impersonated brands for emails containing PDF attachments, in order, were:

1. Microsoft
2. NortonLifeLock
3. PayPal
4. DocuSign
5. Geek Squad

The attacks involve a careful blend of technical evasion and social engineering to arrive in people’s inboxes and to send those people on a dangerous path—online or over the phone—into eventually handing over important login credentials or even downloading malware directly onto their computers.

The emails themselves, according to Talos researchers, often avoid phishing detection because the email bodies are blank. Without any text to review, phishing detection engines that rely strictly on text become somewhat useless.

But the cybercriminals in these attacks still have to trick targets with their emails, so they instead attach PDFs to those emails that are cleverly structured to automatically load when a person opens just the email, not the attachment. What the targets see, then, is nearly indecipherable from a regular email: a convincing company logo, a paragraph or two about an urgent need, and a telephone number, link, or QR code that the reader can follow to “fix” the issue.

One fraudulent email from “Microsoft” teased a potential raise with more information behind a QR code, another claimed to arrive from “Adobe” containing a file from “Human Resources,” two emails—one from “McAfee,” another from “PayPal”—included fake invoices for hundreds of dollars, and one falsely claimed that a target had a set of downloads to access through “Dropbox.”

As witnessed by the security researchers, many of the emails in these phishing campaigns are part of a broader type of attack called “telephone-oriented attack delivery” or, more simply, “callback phishing.” In these types of attacks, targets are tricked into taking their conversations to an entirely separate medium—the phone—where they can be preyed upon further, the researchers said.

“Victims are instructed to call a specific number in the PDF to resolve an issue or confirm a transaction. Once the victim calls, the attacker poses as a legitimate representative and attempts to manipulate them into disclosing confidential information or installing malicious software on their computer.”

Researchers also discovered emails that contained malicious QR codes that, if scanned by victims, would send them to a separate phishing website. The phishing sites, themselves, also impersonate brands, as researchers found fake login pages for Microsoft and Dropbox.

How to stay safe from phishing

Though the callback phishing scams discovered by cybersecurity researchers involved clever techniques to make sure they reached people’s email inboxes, the rules of phishing detection still apply for everyday businesses. Here are the clear signs of a phishing scam (some of which were present in the callback phishing emails above):

• The email invokes urgency, fear, or confusion. Scammers trick people into clicking on dangerous links or calling unknown numbers because a bigger (fake) problem needs to be addressed immediately. Slow down before taking action.
• The email includes attachments. It is extraordinarily rare to receive an attachment in an email from a company that you merely do business with. Don’t trust any attachment from someone you don’t personally know.
• The email comes from an unknown sender. Even if the email looks like it has arrived from a major company or a known contact, the email address itself can be spoofed—and sometimes through rather lazy attempts, like replacing letters with numbers or adding a period in the address that shouldn’t be there.
• The email includes a QR code. QR codes can easily hide malicious links. Be wary around any you find inside emails.

It’s important to be able to detect phishing scams on your own, but mistakes happen everywhere, everyday. That’s why the best protection requires an active antimalware solution with web protection.

Australia’s largest airline Qantas has confirmed that cybercriminals have gained access to a third party customer servicing platform that contained 6 million customer service records.

Qantas says the breach occurred after a cybercriminal targeted a call centre and managed to gain access to the third party platform, presumably via social engineering.

The airline reassured customers by saying all Qantas systems remain secure, and that there would be “no impact to Qantas’ operations or the safety of the airline. However, Qantas anticipates that a large amount of data has been taken:

“We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant.”

An initial review has confirmed the data includes:

• Customers’ names
• Email addresses
• Phone numbers
• Birth dates
• Frequent flyer numbers

Fortunately, credit card details, personal financial information and passport details were not held in the breached system.

The airline responded quickly by isolating the affected system, notifying customers, and working with the Australian Cyber Security Centre, the Australian Federal Police, and independent cybersecurity experts.

The breach at a third party provider is extra painful since Qantas concluded an uplift of third and fourth-party cyber-risk governance processes in 2024. In a report released at the time, the airline explained:

“Third- and fourth-party cyber risk involves managing cyber risks from our direct suppliers (third parties) and their suppliers (fourth parties), who can affect our supply chain directly or indirectly through cyber incidents.”

No group has claimed responsibility for the cyberattack yet, which is normal if it is a ransomware attack. But it’s noteable that this weekend the FBI put out a warning on social media about ransomware attacks targeting airlines.

“The FBI has recently observed the cybercriminal group Scattered Spider expanding its targeting to include the airline sector. These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access. These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts. They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.

Once inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware. The FBI is actively working with aviation and industry partners to address this activity and assist victims. Early reporting allows the FBI to engage promptly, share intelligence across the industry, and prevent further compromise. If you suspect your organization has been targeted, please contact your local FBI office.”

Qantas has set up a dedicated customer support line as well as a web page to provide the latest information to customers. Qantas says it will also continue to update customers via its social channels.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Google has released an update for its Chrome browser to patch an actively exploited flaw.

This update is crucial since it addresses an actively exploited vulnerability which can be exploited when the user visits a malicious website. It doesn’t require any further user interaction, which means the user doesn’t need to click on anything in order for their system to be compromised.

The update brings the Stable channel to 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for Mac and 138.0.7204.96 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click the more menu (three stacked dots), then choose Settings > About Chrome. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is reload Chrome in order for the update to complete, and for you to be safe from the vulnerability.

You can find more elaborate update instructions and the version number information in our article on how to update Chrome on every operating system.

Technical details on the vulnerability

The vulnerability, tracked as CVE-2025-6554 is a type confusion in V8 in Google Chrome that, prior to 138.0.7204.96, could have allowed a remote attacker to perform arbitrary read/write via a crafted HTML page.

A type confusion bug happens when code doesn’t verify the object type passed to it, and then uses the object without type-checking. Unfortunately, this bug occurs on the V8 JavaScript engine, Google’s open-source JavaScript engine.

The browser mistakenly treats a piece of data as the wrong type, which lets attackers manipulate memory in unintended ways. This can allow them to perform unauthorized read and write operations in the browser’s memory.

Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on June 25, 2025. The TAG group focuses on spyware and nation-state attackers who abuse zero days for espionage purposes.

We don’t just report on browser vulnerabilities, Malwarebytes’ Browser Guard protects your browser against malicious websites and credit card skimmers, blocks unwanted ads, and warns you about relevant data breaches and scams.

Researchers have found vulnerabilities in 29 Bluetooth devices like speakers, earbuds, headphones, and wireless microphones from reputable companies including Sony, Bose, and JBL. The vulnerabilities could be exploited to spy on users, and even steal information from the device.

The researchers who discovered the Bluetooth vulnerabilities are from ERNW (Enno Rey Netzwerke GmbH), a well-established independent IT security firm based in Heidelberg, Germany. During their research into headphones and earbuds, the researchers identified several vulnerabilities in devices that incorporate Airoha Systems on a Chip (SoCs). Airoha is a large supplier in the Bluetooth audio space, especially in the area of True Wireless Stereo (TWS) earbuds.

They found three vulnerabilities that let an attacker interfere with the connection between the mobile phone and an audio Bluetooth device, and then issue commands to the phone. Using these vulnerabilities, the researchers were able to initiate a call and eavesdrop on conversations or sounds within earshot of the phone.

What an attacker would be able to do with a vulnerable device, largely depends on the abilities that the devices themselves have. All major platforms support at least initiating and receiving calls, but under some circumstances an attacker could also retrieve the call history and contacts.

The researchers note that although these attack scenarios are serious, they also require a skilled attacker who is within range. The attacker would have to be close to the target, since Bluetooth vulnerabilities are inherently limited to short ranges due to the technology’s design for low-power, personal area networking. The typical effective range for most consumer Bluetooth devices is about 10 meters (33 feet) under ideal conditions, as the signals weaken significantly with distance and physical obstacles.

To perform inconspicuous eavesdropping, the listening device must be turned on but not in active use. Because these devices can only handle one Bluetooth connection at a time, the legitimate connection would be dropped if an attacker connects, which the user would likely notice.

Vulnerable Bluetooth devices

The following devices were confirmed to be vulnerable:

• Beyerdynamic Amiron 300
• Bose QuietComfort Earbuds
• EarisMax Bluetooth Auracast Sender
• Jabra Elite 8 Active
• JBL Endurance Race 2
• JBL Live Buds 3
• Jlab Epic Air Sport ANC
• Marshall ACTON III
• Marshall MAJOR V
• Marshall MINOR IV
• Marshall MOTIF II
• Marshall STANMORE III
• Marshall WOBURN III
• MoerLabs EchoBeatz
• Sony CH-720N
• Sony Link Buds S
• Sony ULT Wear
• Sony WF-1000XM3
• Sony WF-1000XM4
• Sony WF-1000XM5
• Sony WF-C500
• Sony WF-C510-GFP
• Sony WH-1000XM4
• Sony WH-1000XM5
• Sony WH-1000XM6
• Sony WH-CH520
• Sony WH-XB910N
• Sony WI-C100
• Teufel Tatws2

If you own one of these devices, keep an eye out for firmware updates to be issued by the manufacturers. If you find your connection drops while using one of the above Bluetooth devices, restart the the device—it should automatically connect back to your phone/system.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Facebook’s pursuit of your personal data continues apace, and now it has a new target: photos on your phone that you haven’t shared with it yet.

Techcrunch reports that the social media giant is now asking its users to peek at the photos on their phones’ camera rolls. In return it will give them new ideas to view their photos.

In a pop-up message seen by some of the site’s users, Facebook asks users to “allow cloud processing” of the photos in their camera roll. “To create ideas for you, we’ll select media from your camera roll and upload it to our cloud on an ongoing basis, based on info like time, location or theme,” the message says.

The site will then offer things like collages, recaps, AI restyling or themes like birthdays or graduations, it continues, adding that Facebook won’t use the photos to target you for ads.

But what else might Meta do with those photos? Its AI terms of service allow it to analyze the images you load using AI, “including facial features”.

Incidentally, you can’t share any images with Meta that contain images of people in Illinois or Texas unless you’re legally authorized to consent on their behalf, it warns. That’s likely because both those states have strict laws around the use of biometric data, including facial recognition, in photos. We’re not sure how that works, then, if you grant the company unfettered access to your camera roll which includes photos of your trip to Chicago or Austin to visit friends and family.

Another question is over whether the company will scan children’s images. If you have an aversion to sharing your kids’ photos on Facebook, this could be a real issue.

We can extend this into even more worrying areas. What if you have photos of your kids in the bath that you don’t want an AI to train on? Or if you have intimate photos of yourself or a partner on your phone?

Facebook reserves the right to subject any content to “automated or manual (i.e. human) review and through third-party vendors in some instances”. There’s nothing in Meta’s messaging that seems to stop it from subjecting your camera roll photos to this.

Facebook has made camera roll cloud processing an opt-in service, meaning that you must deliberately select it for the app to start scanning your camera roll. However, this wasn’t enough for at least one Reddit commenter, who warned that you can’t control your photos once you share them with others.

“So although I always uninstall Facebook and Instagram, if I share a photo of me with my family, Meta will still get to analyze it, because at least one of them will still have those apps installed,” they said. In general, reactions to the story seem negative.

Facebook isn’t the only company that allows you to automatically upload your photos to the cloud. Apple offers this as part of its tightly integrated photos service, and has been producing montages and other assets from its users’ photos for a long time.

Apple says that it only uses AI to analyze your photos on your local device, and while it stores them in the cloud it doesn’t access them there. However it also says that it has “a worldwide, royalty-free, perpetual, nonexclusive license to use the materials you submit within the Services and related marketing as well as to use the materials you submit for Apple internal purposes.” Those services include iCloud+. iCloud is the cloud service that stores your photos.

Google, which also allows you to automatically upload photos to its service, says that you own your photos but retains the right to modify and create derivative works on your content, and to share it with contractors.

Google’s past relationship with photo users has been problematic. It once deleted a dad’s account after he took an image of his son’s groin to send to a doctor and it was automatically uploaded to the cloud, where Google identified it as child sexual abuse material. Law enforcement considered him innocent. Google refused to reinstate his services.

Our advice? If you’re going to allow a service to automatically analyze the photos you take, be sure that you completely trust that service. Check to see if it has been accused of mishandling users’ data in the past, such as Meta was here, here, and of course here.

That’s not enough, though. Be careful who else you share your photos with, and under what circumstances. If you do share them, do so only with those you trust. Include a caveat to ensure that they know how you’re comfortable with them using those photos, and what you’re not OK with them doing.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

This week on the Lock and Code podcast…

There’s a unique counter response to romance scammers.

Her name is Becky Holmes.

Holmes, an expert and author on romance scams, has spent years responding to nearly every romance scammer who lands a message in her inbox. She told one scammer pretending to be Brad Pitt that she needed immediate help hiding the body of one of her murder victims. She made one romance scammer laugh at her immediate willingness to take an international flight to see him. She has told scammers she lives at addresses with lewd street names, she has sent pictures of apples—the produce—to scammers requesting Apple gift cards, and she’s even tricked a scammer impersonating Mark Wahlberg that she might be experimenting with cannibalism.

Though Holmes routinely gets a laugh online, she’s also coordinated with law enforcement to get several romance scammers shut down. And every effort counts, as romance scams are still a dangerous threat to everyday people.

Rather than tricking a person into donating to a bogus charity, or fooling someone into entering their username and password on a fake website, romance scammers ensnare their targets through prolonged campaigns of affection.

They reach out on social media platforms like Facebook, LinkedIn, X, or Instagram and they bear a simple message: They love you. They know you’re a stranger, but they sense a connection, and after all, they just want to talk.

A romance scammer’s advances can be appealing for two reasons. One, some romance scammers target divorcees and widows, making their romantic gestures welcome and comforting. Two, some romance scammers dress up their messages with the allure of celebrity by impersonating famous actors and musicians like Tom Cruise, Brad Pitt, and Keanu Reeves.

These scams are effective, too, to sometimes devastating consequences. According to recent research from Malwarebytes, 10% of the public have been the victims of romance scams, and a small portion of romance scam victims have lost $10,000 or more.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Holmes about her experiences online with romance scammers, whether AI is changing online fraud, and why the rules for protection and scam identification have changed in an increasingly advanced, technological world.

 ”I’ve seen videos of scammers actually making these real life video manipulation calls where you’ve got some guy sitting one side of the world pretending to be somewhere else completely, and he’s talking into his phone and it’s coming out on the other person’s phone as a different image with a different voice.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

The Android threat landscape in the first half of 2025 has entered a new phase. An era marked not just by volume, but by coordination and precision. Attackers are no longer simply throwing malware at users and hoping for results. They’re building ecosystems .

Recent Malwarebytes threat research data reveals a sharp rise in mobile threats across the board, with malware targeting Android devices up 151%.

We’ve seen a 147% increase in spyware, a broad category of apps that collect user data without consent, with a notable spike in Feb and March. In fact, the February/March levels represent nearly a 4x multiplication of the baseline. 

Perhaps even more alarming is a 692% spike in SMS-based malware between April and May, a jump that we can’t just chalk up to coincidence. It could be due to seasonal scams like those we always see around tax season, which hit consumers hard this year, or widespread campaigns like toll fee scams, which also come in surges.

These numbers reflect a shift in strategy: Attackers are scaling operations, fine-tuning delivery, and exploiting both human psychology and systemic weak points. Take Spyloan, for example, a threat that lures targets with incredible loan conditions (low rates, no pre-check) but ends up stealing from desperate people. We saw a significant spike in May of this predatory app, which could well signal a resurgence for the summer. We’ll continue to monitor this uptick.

Banking Trojans and spyware are now outpacing more traditional nuisances like adware and riskware, and what’s changed is the level of sophistication. Threat actors are actively distributing malware through both official and unofficial app channels, often cloaking malicious apps behind layers of legitimacy.

Fake financial tools, predatory loan apps, and cleverly disguised “updates” aren’t just slipping through the cracks, they are being engineered with that objective in mind. Peaks in their activity often coincide with periods of personal stress, like tax season or holiday travel, suggesting a methodical approach to targeting.

As Sr. Director, Research and Development, Online Platforms at Malwarebytes, Shahak Shalev explains:

Attackers know we trust our mobile devices implicitly—we bank on them, authenticate with them, store our entire digital lives on them. Now attackers are amping up the volume and sophistication of mobile threats. When spyware jumps 147% in five months, that tells us attackers are moving beyond simple scams to building sustainable criminal enterprises. They’re playing the long game now — developing monetization strategies for every type of data they can harvest; every user behavior they can exploit. The February spike shows this isn’t random, it’s methodical business development in the cybercrime space. 

Smishing (SMS phishing) has quickly become one of the most effective tools in the attacker’s playbook. Using AI-generated text and increasingly well-crafted lures, these campaigns are harder to spot than ever. And while smishing is rising fast, it’s not alone. We’re also seeing a growing number of PDF phishing attacks, where malicious documents act as entry points for broader compromise.

But perhaps the most systemic issue is lack of updates, with over 30% of Android devices remaining stuck on outdated operating systems. These devices are sitting ducks, because they are unable to receive critical security patches, yet are still being actively used. Combine this with counterfeit or gray-market devices that come preloaded with malware, and you’ve got a recipe for widespread exposure.

What we’re seeing isn’t a collection of one-off scams. It’s infrastructure. The Android threat landscape has matured into a network of monetization schemes that thrive on scale, persistence, and user trust. Attackers aren’t just after quick wins—they’re building operations that last.

The takeaway? Mobile security can’t be an afterthought. Individuals and organizations alike need to treat Android threats with the same seriousness as traditional desktop attacks. That means prioritizing device hygiene, avoiding sideloaded apps (where you download an app not from the Google Play store), staying current with patches where possible, and educating users about the social engineering tactics that increasingly underpin these attacks.

How to protect your Android device

Google Play Protect is a built in security feature from Android that automatically protects users against apps that engage in malicious behavior. That’s great, but we still see malware campaigns that are spread, partially or as a whole, through the Google Play Store.

To keep your devices free from Android malware:

• Get your apps from the Google Play store whenever you can.
• Be careful about the permissions you allow a new app. Does it really need those permissions for what it’s supposed to do? Permissions like “Display over other apps” should particularly raise a red flag, because they can be used to intercept login credentials.
• Don’t allow notifications as much as possible. Dubious ad sites often request permission to display notifications. Allowing this will increase the number of ads as they push them to the device’s notification bar.
• Use up-to-date and active security software on your Android.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

AT&T is set to pay $177 million to customers affected by two significant data breaches. These breaches exposed sensitive personal information of millions of current and former AT&T customers.

For those that have missed the story so far:

• Back in 2021, an entity named Shiny Hunters (a known hacking group) claimed to have breached AT&T. Later reports indicated this breach started in 2019. AT&T denied that the data came from its systems.
• Then in March, 2024, the data of over 70 million people was posted for sale on an online cybercrime forum. The seller claimed the data came from the Shiny Hunters breach. AT&T again denied the data came from its systems.
• On March 30, 2024, AT&T reset customer passcodes after a security researcher discovered the encrypted login passcodes found in the leaked data were easy to decipher.
• Finally, on April 2, 2024, AT&T confirmed that 73 million current and former customers had been caught up in the data leak.
• A later breach, revealed in July, 2024, involved a hack of AT&T’s cloud storage provider, Snowflake, compromising call and text records from 2022 for nearly 109 million US customers. Although no names were linked to this data, the breach was severe enough to lead to arrests.

Following these incidents, AT&T faced multiple class action lawsuits alleging inadequate protection of customer data. Now, a US District Judge has granted preliminary approval to a settlement resolving these lawsuits. This settlement offers an opportunity for affected customers to receive compensation for the harm caused by these breaches.

Who qualifies for compensation?

• Any current or former AT&T customer whose data was accessed in either breach is eligible.
• Priority and larger payments will go to those who can document damages directly caused by the breaches.
• Maximum payouts are up to $5,000 for the 2019 breach and $2,500 for the 2024 breach.
• Any remaining funds will be distributed to others affected, even without proof of damages.

The projected timeline for the claims process looks like this

• Notices to eligible claimants will be sent by August 4, 2025.
• The deadline to submit claims is November 18, 2025.
• Payments are expected to begin in early 2026, pending final court approval scheduled for December 3, 2025.

Check if your data was exposed

To find out how to claim, watch for official notifications from AT&T or check the settlement website once it launches.

You can use Malwarebytes’ easy, free tool—the Malwarebytes Digital Footprint Portal—to check if your data was exposed in the AT&T breach. Simply click the button below, enter your email address, and follow the prompts on the screen.

When you get your results, you’ll see a pink bubble with the words “Exposed on AT&T” if your information was affected in the breach. If you see a green bubble then your data was not exposed.

We will keep you posted of any new developments in this case. Stay tuned!

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.