IT News

Explore the MakoLogics IT News for valuable insights and thought leadership on industry best practices in managed IT services and enterprise security updates.

Adult sites trick users into Liking Facebook posts using a clickjack Trojan

As the use of age verification to access adult websites increases in various countries around the world, shady websites with adult content have started a timely malware-fueled campaign to promote links to their own websites.

During our daily rounds on Facebook, looking for the latest scams, we noticed something odd about some posts pointing to adult websites. We found that several of the sites promoted in this way were hosted on blogspot[.]com, and that these sites linked to other similar sites.

Here’s one example:

Example of blogspot page

Most of these sites promise the visitor explicit pictures of celebrities, most of which will undoubtedly turn out to be generated by Artificial Intelligence (AI).

This in itself is not uncommon. However, what did stand out was that a few of the Facebook posts had a lot of Likes. Most people don’t like that type of content on Facebook since everyone can see who the Likes are from.

201 likes and loves

A high number of Likes for a post is great for the accounts posting these links, because when a Facebook profile or post gets more Likes it is more likely to show up in people’s feeds, which is basically more advertising for the same money.

So, how do the posts get these Likes?

It turns out the criminals use a Trojan to promote their posts and profiles. When clicking through links displayed on the adult sites some—selected–visitors will download a Scalable Vector Graphics (SVG) image file. So while surfing from one of these sites to the next one, sometimes, not always, it triggers a download.

Now, the cybercriminals are banking on the fact that SVG is not a filetype that will set off an alarm for most people, given that most people see it as an image file. But SVG files are not always simply image files.They are written in XML, and this allows them to contain HTML and Javascript code, which means that the cybercriminals can use them to get up to no good.

Here is the one provided by the adult sites:

The code in the SVG file

Despite the heavy obfuscation of the second part of the script, for anyone able to read the code it is pretty clear this file is up to no good. In fact, it actually downloads another malicious javascript file, but it was hard to figure out which one.

Because the code in the SVG file uses a technique called “hybrid JSFuck” (how fitting) to hide its intentions we immediately assumed that it was malicious. From the easier to read parts of the script we can deduct that the script downloads and executes a malicious script from the domain crhammerstein[.]de, which was blocked by Malwarebytes.

Malwarebytes blocks flan.hammerstein[.]de

JSFuck is a form of obfuscation that encodes JavaScript using only six characters: “[ ] ( ) ! +”. There are several online deobfuscators available for pure JSFuck obfuscation, but the criminals used a hybrid method by adding the String.fromCharCode elements which is not that easy to unravel.

Opening the SVG file opens an empty Edge tab titled Process Monitor. This happens because SVG files on Windows are opened by Edge, even if the user has another browser set as their default.

Process Monitor tab

In the end we managed to figure out that the downloaded script was another javascript, detected as Trojan.JS.Likejack. This Trojan, also written in Javascript silently clicks a ‘Like’ button for a Facebook page without the user’s knowledge or consent, in this case the adult posts we found above. The user will have to be logged in on Facebook for this to work, but we know many people keep Facebook open for easy access.

Once we knew how this campaign worked, we found a huge amount of blogspot[.]com pages involved in this campaign:

part of a list of blogspot pages involved in this campaign

Conclusion

Now that governments are imposing age verification upon adult sites that play by the rules, they are driving those interested in that type of content into the arms of those that don’t care about the rules, even to the extent that they are willing to deploy Trojans to get visitors to their sites.

An alternative is that those trying to access content use a VPN to visit the sites from locations that don’t impose these restrictions. Given those options we would obviously recommend using a VPN.

To be protected against this type of campaigns, it’s worth considering using real-time malware protection. Malwarebytes blocks the domains associated with this campaign.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Facebook users targeted in ‘login’ phish

A few weeks ago we warned our readers of a phishing campaign targeting Instagram users that didn’t resort to the usual links to phishing websites, but used mailto: links instead. Now, it seems that these scammers have turned their attention to Facebook users.

It works like this: The target receives an email saying that your Facebook account was logged into from a new device. Even though the subject line says “We’ve Received a request to Reset your password for Facebook Account !”

email header
new device login

“A user just logged into your Facebook account from a new device iPhone 14 PRO Max. We are sending you this email to verify it’s really you.”

All the links you see in the email: “Report the user”, “Yes, me”, “unsubscribe”, and even the obfuscated email address at the bottom, do exactly the same thing.

They open your default email program with a pre-addressed message with a subject line that matches the button/text you clicked on.

The email addresses these messages will be sent to are the same as the ones we saw with the Instagram phish:

  • prestige@vacasa[.]uk.com (typosquat of vacasa.com vacation rentals)
  • ministry@syntec[.]uk.com (typosquat of syntechnologies.co.uk hardware provider)
  • technique@pdftools[.]com.de (typosquat of pdf-tools.com software provider)
  • service@boss[.]eu.com (several possibilities)
  • threaten@famy[.]in.net (science news site, possibly compromised)
  • difficulty@blackdiamond[.]com.se (known malicious domain)
  • anticipation@salomonshoes[.]us.com (typosquat of salomon.com running shoes)

This is kind of surprising since we found last time that several of the addresses were unresponsive.

undeliverable

The unusual Top-Level Domains (TLDs) like uk.com, com.de, eu.com, com.se, and us.com are actually second-level domain extensions operated by private entities, not official country-code top-level domains.

Though these domain extensions themselves are legitimate registration services, their openness and global accessibility mean they can be misused by phishers and other cybercriminals to make them look more legitimate or country-specific than generic .com domains. They may also be used to typosquat legitimate domains.

How to avoid Facebook phishing

Since we can expect to see more phishing campaigns that use mailto: links, here are some tips to avoid falling victim to such a scam.

  • As with regular links, scrutinize the destination of an email link. Even if the domain looks legitimate, your Facebook account isn’t secured by a shoe maker or vacation provider, or someone using a gmail address. The email address should be one that belongs to Facebook or Meta.
  • Remember that legitimate companies will not ask you to mail them your account details, credentials, or other sensitive information.
  • If there’s an urgency to respond to an email, take a pause before you do. This is a classic scammer trick to get you to act before you can think.
  • Don’t reply if the warning looks suspicious in any way. Sending an email will tell the phishers that your email address is active, and it will be targeted even more.
  • Do an online search about the email you received, in case others are posting about similar scams.
  • Use Malwarebytes Scam Guard to assess the message. It will tell you whether it’s a scam or give you tips how you can find out if it isn’t sure.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

TeaOnHer, the male version of Tea, is leaking personal information on its users too

Last week we reported about some serious leaks in Tea Dating Advice, an app that provides a space for women to exchange information about men they know, have met, or have dated in the past.

The app aims to provide a platform where people can share relevant information about, say, potentially abusive partners. However, it leaked images and private messages, leading to 10 potential class action lawsuits in federal and state courts for negligent data practices.

Now it has been revealed that the male equivalent, TeaOnHer, has exposed users’ personal information as well, including government IDs and selfies.

TeaOnHer, which ranks high in the Lifestyle apps category for iOS, allows men to share photos and information about women they have dated. It appears to have been designed with a sense of vengeance against the Tea Dating Advice app: It uses similar language in the App Store description, and as it turns out, it’s just as leaky.

TechCrunch reports it found at least one vulnerability that allows any user access to other users’ email addresses, driver’s licenses, self-reported location, and selfies. Perhaps most distressingly, the news outlet also discovered that guest users could view explicit images of women, likely shared without consent.

TechCrunch also found an email address and password of the app’s creator. Although it didn’t test that hypothesis for legal reasons, it seems likely using those credentials might provide access to the administrator panel of the app.

It is disappointing that apps made for sharing private information and ranked so high in the App Store apparently have such a poor security standard.

TeaOnHer’s creator did not respond to emails from TechCrunch asking where to report the flaws, so TechCrunch only shared the fact that the flaws exist without going into much detail. This is commendable given the sensitivity of the shared data.

Protecting yourself after a data breach

While there are no indications that anyone else has accessed this data, it is an option we can’t ignore. There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

How Google, Adidas, and more were breached in a Salesforce scam

At the heart of multiple data breaches against sophisticated and robust companies, including Google, Adidas, Louis Vuitton, and Chanel, was a rudimentary attack method that required little technical finesse—making a phone call.

By disguising themselves as IT support personnel on the phone, hackers belonging to the group “ShinyHunters” successfully tricked the employees at several multinational corporations into handing over the data within their own Salesforce platforms. The attacks underscore the vulnerability that all businesses face—large or small—in preventing cyberattacks that begin through basic social engineering scams.

In a bizarre twist of irony, security researchers at Google Threat Intelligence Group (GITG) originally uncovered the hacking campaign in June, only to announce that Google itself had been hit by the very same tactic this week. Other victims in the hacking campaign include Allianz Life, the airline Qantas, and the jeweler Pandora.

The data breaches all leverage a Salesforce feature that allows users to connect to various, external apps. This functionality allows business owners and employees to, for instance, connect their Salesforce data to mapping tools to visualize the locations of a customer base, or to connect their Salesforce data with a newsletter platform to deliver email marketing campaigns to specific customer segments.  

In the attacks, the hackers trick employees into connecting to a fraudulent version of Salesforce’s “Data Loader” app, which lets users import, export, update, and delete large quantities of data that are stored or managed within Salesforce itself. The process for connecting to an external app is simple, as employees just enter an 8-digit code when prompted by Salesforce. But once ensnared in the phone scam, employees are tricked into entering an 8-digit code that will connect to a data exfiltration program owned and operated entirely by the hackers.

Once connected, the hackers are free to roam inside the company’s Salesforce data and steal what they see fit. Some attacks reportedly included an expansion by the hackers into other corporate online accounts, including Microsoft 365, which could reveal a company’s emails and other sensitive messages.

In the attack against Google, the hackers accessed a Salesforce “instance,” which is a term used to describe a company or user’s implementation of software and the data they manage through that software (Think of it like when a hacker breaches an online account and then pilfers all the data related to that account and what it can access). In the Google attack, the Salesforce instance “was used to store contact information and related notes for small and medium businesses.”

“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” Google said. “The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.”

According to the outlet Bleeping Computer, the ShinyHunters cybercrime group is still stealing business data through this attack campaign. Once the hackers have the data, they then extort the victims to pay a hefty ransom or risk having the data exposed online.

How to stay safe from the Salesforce scam

Because this attack is so targeted—every corporate victim uses Salesforce—the defense strategies are clear and actionable. Here’s how you can help yourself and your staff in avoiding this attack.

  • Audit your Salesforce access. Ensure that the only employees or staff who have access to Salesforce are those who need to use it for their job. When there are fewer employees who can access Salesforce, there are fewer entry points for hackers.
  • Train your staff. Recognizing a social engineering scam is important for any workforce, no matter the size. Inform your employees and yourself about your current IT support provider so that any rogue phone calls are immediately caught.
  • Use multifactor authentication (MFA) for important accounts. The hackers in these attacks managed to gain access to other cloud applications like Microsoft 365. Protect all your employee accounts on sensitive platforms with MFA.

Social engineering scams are some of the most effective and serious threats to small businesses. It’s important to recognize them when they happen. And for all else, use always-on cybersecurity to protect your business from malware, viruses, and nefarious break-in attempts.

Meta accessed women’s health data from Flo app without consent, says court

A jury has ruled that Meta accessed sensitive information from a woman’s reproductive health tracking app without consent.

The app in question is called Flo Health. Developed in 2015 in Belarus to track menstrual cycles, it has evolved over the years as a tracking app for highly detailed, intimate aspects of women’s reproductive health.

Flo Health user Erica Frasco bought a class action lawsuit against the company in 2021, following a damning report about its privacy infractions by the Wall Street Journal in 2019.

Since she downloaded the app in 2017, Frasco, like its other users, regularly answered highly intimate questions. These ranged from the timing and comfort level of menstrual cycles, through to mood swings and preferred birth control methods, and their level of satisfaction with their sex life and romantic relationships. The app even asked when users had engaged in sexual activity and whether they were trying to get pregnant.

According to the complaint, Flo Health promised not to share this data with third parties unless it was necessary for the provision of its services. Even then, it would not only share information relevant to web hosting and app development, it promised. It would not include “information regarding your marked cycles, pregnancy, symptoms, notes and other information entered by [users]”, reported the original complaint.

Yet between 2016 and 2019 Flo Health shared that intimate data with companies including Facebook and Google, along with mobile marketing firm AppsFlyer, and Yahoo!-owned mobile analytics platform Flurry. Whenever someone opened the app, it would be logged. Every interaction inside the app was also logged, and this data was shared.

Flo Health didn’t impose rules on how these third parties could use the data. “In fact, the terms of service governing Flo Health’s agreement with these third parties allowed them to use the data for their own purposes, completely unrelated to services provided in connection with the App,” the complaint went on.

By December 2020, 150 million people were using the app, according to court documents. Flo had promised them that they could trust it.

Users were “trusting us with intimate personal information,” it said in its privacy policy. “We are committed to keeping that trust, which is why our policy as a company is to take every step to ensure that individual user’s data and privacy rights are protected.”

The Federal Trade Commission investigated these allegations and settled with Flo Health in 2021, imposing an independent review of its privacy policy and mandating that it not misrepresent its app.

The class action lawsuit claims common law invasion of privacy, breach of contract and implied contract, unjust enrichment, and breach of the Stored Communications Act and the California Confidentiality of Medical Information Act. It seeks damages for plaintiffs, along with some of the company’s profit.

Google and Flo Health have both settled with plaintiffs already, but Meta has not. The jury ruled that Meta intentionally “eavesdropped on and/or recorded their conversations by using an electronic device,” and that it did so without consent.

This case is important on so many levels. Aside from general privacy concerns, women’s menstrual health is an area of particular contention after the US Supreme Court removed the constitutional right to abortion in June 2022. That year, Meta came under scrutiny for providing police with private message data between a mother and her daughter planning medication to abort a pregnancy.

We could simply say “Don’t use Flo Health”, but the app was trusted until it was found out. How many others are sharing data in similarly irresponsible ways? Increasingly, we lean toward simply not using apps to track sensitive data of this kind at all.

However, then there are the websites to worry about. A report by Propublica found that online pharmacies selling abortion pills were sharing sensitive data with Google and others. This could give law enforcement evidence in cases against women, it said. Technology promised us convenience, but its misuse also brings serious dangers to users.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Weight loss scams, or why ‘Jodie Foster’ wants me to lose weight

It seems like it’s hard to move on social media without some kind of mention of weight-loss injections these days. And, sure, these drugs can have a positive affect for many people, but not all these cases of weight loss are real, nor are the people promoting them who they say they are.

Weight-loss scams have been around for many years. Remember when senators grilled a then-popular television physician called Dr. Oz over his miraculous weight loss claims? That was 11 years ago.

And what would work better than celebrities promoting these scams? In 2018, the Federal Trade Commission posted a warning about scammers impersonating celebrities on social media. That warning was not about weight-loss scams in particular, but you get the drift.

So it was fortuitous timing that I noticed a familiar face in my Facebook friend suggestions.

Add friend suggestion for Jodie foster

Scammers, be warned: at some point I get curious and try to figure out what your angle is. So, I put on my best starstruck face and clicked the “Add friend” button.

Jodie must be very desperate to meet a man her own age, because she was quick to accept.

Jodie foster accepted your friend request

At first, I decided to play the waiting game. In my experience, scammers get to the point more quickly when they are the ones taking the initiative.

But Jodie’s patience outlasted mine and so I sent her a Direct Message to tell her how much of a fan I am and how happy I was she had accepted my friend request.

Apparently she is very busy, and she outlasted my patience again. So, I decided to look at her Facebook profile.

What I found was that her profile gets tagged extremely often. The posts she is tagged in are a mix of explicit content and weight-loss scams. Those include a lot of “before and after” pictures. In some of them the models even seem to be wearing the same clothes.

Before and after?

Weight-loss scams are a common threat on social media platforms like Facebook, and scammers have become increasingly sophisticated in their tactics.

Scammers tag fake celebrity profiles in their posts to increase visibility, hoping fans or unsuspecting users will see, share and click on the posts.

The goal is to sell products like keto supplements, apple cider vinegar gummies, CBD gummies, and many more that will allegedly help you lose weight without exercising and dieting.

The end goal is to ask exorbitant prices for useless products and get victims to pay—preferably repeatedly—for said products. The offers often resort to the fine print hidden under a huge discount that subscribes victims to a monthly plan which is notoriously hard to cancel or get refunds for.

The scammers operating Jodie’s profile like to use a redirect service, hosted at litewo.xyz. The service works similar to a URL shortener except for the fact that most of the URLs are not getting shorter by using it—about as effective as the weight-loss pills they are selling, you might say.

This weight-loss scam focuses on a few countries and has dedicated pages for each language area. The pages in English are all Kelly Clarkson themed.

Kelly Clarkson themed website

Kelly Clarkson is an interesting subject for this type of campaign because she spoken publicly about her weight loss, but she didn’t achieve this by using any of the products the scammers are selling. She is also not affiliated with any of these scams, nor is Jodie Foster.

As usual the scammers try to hurry potential customers along by implying that their wonder cure is about to be sold out.

only a few left and others are viewing this offer

The scammers list the products at unbelievable prices, but the end result will sadly not be what you hope for. If you’re “lucky” you won’t receive anything. If you’re less fortunate you’ll receive some dangerous concoction that could ruin your health.

Avoiding weight-loss scams

Celebrities are well known for their brand collaborations and sponsored content. But to find out whether a celebrity is actually promoting something or if you’re looking at a scam, there are a few pointers you can use:

  • Search online for the celebrity’s name plus “scam” and you’re likely to find out that others have fallen for a particular scam.
  • Look at an official channel associated with the celebrity and see if the endorsement can be found there.
  • Do not get rushed into buying anything.
  • Read the fine print. Often this will tell you that you are signing up for a monthly subscription model instead of a one-time payment.
  • Research the name of the product the scammers are selling. In many cases you will learn that the name is associated with scams.
  • If you have bought one of these products, keep an eye on your financial accounts, because some scammers might use your card for other transactions.
  • Use an active security solution that blocks malicious domains.
Malwarebytes blocks litewo.xyz

Malicious domains

Domains we found to be associated with this weight-loss scam campaign:

litewo.xyz (redirect service)

lpuslanocio.com (Kelly Clarkson)

ssusfoeollu.com (Kelly Clarkson)

dauspouexoc.xyz (Kelly Clarkson)

dauswopqclz.xyz (Kelly Clarkson)

cbdefiapa.xyz (German)

cbdefiapa.xyz (German)

dehaoyunlai.xyz (German)

hysokmxy.xyz (Dutch)

blaoewoen.xyz (French)

frpieocoa.xyz (French)


We don’t just report on scans—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Perplexity AI ignores no-crawling rules on websites, crawls them anyway

Imagine putting up a no-trespassing sign for people walking their dogs, and then finding out that one person dresses up their Great Dane as a calf and walks it on your grounds.

Well that’s sort of what AI answer engine Perplexity has been doing, by evading the no-crawl directives of websites, according to Cloudflare.

The no-trespassing sign in this case would be a robots.txt file—a small text file placed on a website that tells search engines and other automated tools (often called “bots” or “crawlers”) which pages or sections of the site they are allowed to access and which parts they should not visit.

Cloudflare started an investigation after customers complained that Perplexity accessed their content despite the fact that they had disallowed Perplexity crawling activity in their robots.txt files. They had also created Web Application Firewall (WAF) rules to specifically block both of Perplexity’s declared crawlers: PerplexityBot and Perplexity-User.

So Cloudflare set up some test domains and queried Perplexity about them to see if it would return the information that it shouldn’t be able to access. What the researchers found was surprising, because it looks like Perplexity uses a very deliberate system to bypass the no-crawling directives.

The researchers discovered the use of a user-agent designed to impersonate Google Chrome on macOS (to look like a regular user) when their declared crawler was blocked. The User Agent String shows the website you’re visiting some basic information about your browser and operating system, so the site can provide an experience optimized for that setup. The Perplexity crawler camouflaged by this User Agent String used regularly changing IP-addresses outside of Perplexity’s official IP range, allowing it to successfully access the content it wasn’t supposed to.

I wondered Perplexity’s view on the whole thing, so I asked it whether it knew what a robots.txt file was for and why it was bad to ignore one. It returned the following:

Perplexity answers why it's wrong to bypass robots.txt files

Why is it wrong to ignore robots.txt?

  • Respect for Privacy and Security: Some parts of a website may contain private, sensitive, or unfinished content not meant for public search engines. Ignoring robots.txt can expose data that should remain private.
  • Fair Resource Usage: Crawling websites takes up bandwidth and server resources. By telling robots where not to go, website owners can prevent wasteful use of these resources, ensuring the site runs smoothly for real users.
  • Legal and Ethical Standards: Ignoring robots.txt can be considered unethical, and in certain circumstances, it might even break terms of service or data protection regulations depending on what information is accessed and how it’s used.
  • Trust and Reputation: If a robot repeatedly ignores robots.txt, it can be banned or blacklisted by websites, and its reputation could suffer in the public and professional community.

The official reaction of Perplexity is somewhat different. It hides behind the difference between a regular bot and an AI agent that is on a quest for a user to answer a specific question.

Perplexity reasons that:

“Modern AI assistants work fundamentally differently from traditional web crawling. When you ask Perplexity a question that requires current information—say, “What are the latest reviews for that new restaurant?”—the AI doesn’t already have that information sitting in a database somewhere. Instead, it goes to the relevant websites, reads the content, and brings back a summary tailored to your specific question.

This is fundamentally different from traditional web crawling, in which crawlers systematically visit millions of pages to build massive databases, whether anyone asked for that specific information or not.”

Although I see Perplexity’s point, there is a big difference between crawling websites to gather as much information as you can and seeking to answer a specific question for one user, the decision whether a website owner wants to allow either is up to them. And there should be no need for sneaking around.

So why not create a User Agent String that tells website owners “this is just a short visit to find some specific information” to discern it from actual crawlers that siphon up every bit they can find, and then let the website owners decide whether they will allow them or not?

Either way, this discussion seems far from over, and with the rise of AI agents we will probably see problems arise that were not on the radar before we all started using AI.


We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

Critical Android vulnerabilities patched—update as soon as you can

Google has patched six vulnerabilities in Android, including two critical vulnerabilities in its August 2025 Android Security Bulletin. It also covers a critical vulnerability which could have allowed an attacker to execute code on a victim’s device without the victim needing to do anything at all.

Last month, Google skipped its monthly security update for the first time in almost ten years. Normally we’ll see dozens of vulnerabilities addressed each month so the skipping was both welcome and slightly worrying. All this while Google reported that its Artificial Intelligence (AI) Big Sleep system found 20 vulnerabilities in several open-source software.

The August updates are available for Android 13, 14, 15, and 16. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

If your Android phone shows patch level 2025-08-05 or later then you can consider the issues as fixed.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

Technical information

The critical RCE vulnerability is tracked as CVE-2025-48530: a vulnerability in the Android System which could lead to remote code execution in combination with other bugs, with no additional execution privileges needed. User interaction is not needed for exploitation. This makes it a top priority patch–which only affects Android version 16–since it poses the risk of attackers being able to compromise affected devices silently.

The other critical vulnerability is tracked as CVE-2025-21479: unauthorized command execution in GPU micronode can cause memory corruption while executing specific sequence of commands.

A GPU micronode, is a small, specialized part within the Graphics Processing Unit (GPU) that handles specific tasks related to processing and rendering graphics on the Android device. It’s a critical component for making the visuals work smoothly and correctly.

Researchers recently discovered serious vulnerabilities in the GPU micronode of Qualcomm’s Adreno GPUs, which power billions of Android devices. Qualcomm has identified three such vulnerabilities and this patch fixes the second one they warned about.


We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Alleged ‘tap-in’ scammer advertised services on social media

Would you give a complete stranger your credit card in return for the promise of easy money? No, neither would we. But apparently well over a hundred people did. Hillsborough County Sheriff’s Office arrested 24 year-old Janetcilize Martinez in Tampa, FL, for allegedly using willing participants’ bank accounts to commit fraud.

Police are calling this a ‘tap-in’ scam. It’s not uncommon, and it works like this:

  1. The scammer advertises for people who want to make fast, easy money by providing access to their bank account. The scammer often describes what they’re going to do, up to and including step four, and offers a cut of the proceeds.
  2. The participant (actually the victim) hands over their debit card or other access credentials.
  3. The scammer uses this access to deposit a fraudulent check into the participant’s account.
  4. The scammer then cashes out the money before the bank realizes that it’s a fraud.
  5. This is the step the scammer omits to tell the victim. The check bounces and the victim is on the hook for the stolen money.

Another term for what these ‘tap-in’ scammers are doing is a third-party version of check kiting. Check kiters write themselves bad checks from another bank account, depositing them, and then picking up the money.

Hundreds of people on TikTok and X did this last year after being told of an apparent “infinite money glitch” at Chase Bank, which wasn’t one at all. They were just taking advantage of the standard fund availability window to collect money on fraudulent checks.

Why check-kiting works (temporarily)

Check-kiting frauds like these depend on fast access to cash from deposited checks. By law, banks in the US have to make $275 of the deposited funds available within one business day, with the rest available within two business days.

Banks can only put a further hold on currency if the account is new, there’s a pattern of overdrawn activity, the check has been redeposited, there’s reasonable cause to believe that the funds aren’t collectible, or the check exceeds $6,725.

The obvious downside of check kiting

Ultimately, if you write yourself a fraudulent check, the bank will inevitably realize when the check doesn’t clear and will take the balance out of your account.

This is why those who thought they’d take advantage of the Chase ‘glitch’ ended up with a negative balance. In reality, they were using theft to give themselves an illegal loan. Doing so can result in you losing your account or even facing criminal charges.

Martinez, who someone reported to police anonymously, allegedly advertised these tap-in services on social media, posting pictures of cash and withdrawal receipts.

When detectives showed up at her residence with a warrant on July 29, they found 117 credit cards belonging to other people, tools for creating counterfeit credit cards, nearly $7,000 in cash, cannabis and associated paraphernalia, and a semi-automatic weapon.

Laptops, money, cards and more seized from Martinez's house. Image courtesy of Hillsborough County Sheriff’s Office.
Image courtesy of Image courtesy of Hillsborough County Sheriff’s Office.

She now faces the following charges:

  • Possession of credit card making equipment
  • Unlawful possession of personal identification of another (five or more)
  • Fraudulent use of personal information
  • Possession of drug paraphernalia
  • Possession of cannabis (more than 20 grams)
  • Possession of cannabis with intent to sell, manufacture, or deliver

Martinez has not yet been found guilty of this crime. She has been given bond release pending trial, but is being held without bond in another case, reporters for Fox 13 said.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Unexpected snail mail packages are being sent with scammy QR codes, warns FBI

Receiving an unexpected package in the post is not always a pleasant surprise. The FBI has warned the public about unsolicited packages containing a QR code which leads to a website aimed at stealing personal data or downloading malware to the victim’s device.

The packages are often shipped without sender information, only the QR code. This is a deliberate tactic of the cybercriminals who hope that the lack of information will encourage more people to scan the code.

These packages are a modern variant of brushing scams. In brushing scams, vendors send packages containing merchandise to unsuspecting recipients, and then use the recipient’s information to post positive reviews about their products or business.

The use of QR codes is the new element in this scam. Using QR codes in items sent in the post offers the criminals a few advantages. Firstly, people may not expect to end up with their device infected by something as non-technical as a physical letter. Secondly, QR codes are typically read by mobile devices, which—unfortunately—still get overlooked when it comes to installing security software.

As we reported in our “Tap. Swipe. Scam” mobile scam report, 66% of people have scanned a QR code to purchase something. With legitimate businesses employing the use of QR codes, it’s something people are becoming very used to doing.

What many people don’t realize, or remember too late, is that scanning a QR code without the proper safety measures is like clicking a link, with one caveat. With links, we can actually check where they are leading to before we click. However, with QR codes it’s impossible for most people to discern a malicious code from a legitimate one.

How to protect yourself from brushing scams

  • If you receive a package you didn’t order and it contains a QR code, do not scan it. Scanning can lead you to fake websites designed to steal your personal or financial information, or even install malware on your device.
  • Legitimate businesses almost always include a return address. Treat any mystery package without sender or return information with extra caution.
  • If you end up on a site asking for personal or financial information after scanning a QR code, do not enter that information. In the hands of scammers it can be used to defraud you.
  • Make sure your device is on the most up to date version. Cybercriminals will take advantage of recently discovered vulnerabilities that people are yet to update and protect themselves against.
  • When scanning QR codes use an app that displays the URL before opening the link. This makes it easier to establish whether it’s safe to follow the link.
  • Use up-to-date and active mobile protection, preferably one that includes web protection.
  • Use two-factor authentication (2FA) wherever you can to make it harder for scammers to access your accounts if they do get hold of your login details.
  • Secure your identity. If your information appears to have been used for a scam, consider freezing your credit, changing passwords, and monitoring bank and online accounts for suspicious activity. Or consider using Identity Theft Protection.
  • Report any brushing scams to the FBI at ic3.gov. Be sure to include as much information as possible, such as the name of the person or company that contacted you; the methods of communication used, including websites, emails, and telephone numbers; and any applications you may have downloaded or provided permissions to on your device.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.