Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Spyware. Show all posts
zero click
Android Apple Cyber Security Google iPhone Meta Spyware zero click

What Happens When Spyware Hits a Phone and How to Stay Safe

 



Although advanced spyware attacks do not affect most smartphone users, cybersecurity researchers stress that awareness is essential as these tools continue to spread globally. Even individuals who are not public figures are advised to remain cautious.

In December, hundreds of iPhone and Android users received official threat alerts stating that their devices had been targeted by spyware. Shortly after these notifications, Apple and Google released security patches addressing vulnerabilities that experts believe were exploited to install the malware on a small number of phones.

Spyware poses an extreme risk because it allows attackers to monitor nearly every activity on a smartphone. This includes access to calls, messages, keystrokes, screenshots, notifications, and even encrypted platforms such as WhatsApp and Signal. Despite its intrusive capabilities, spyware is usually deployed in targeted operations against journalists, political figures, activists, and business leaders in sensitive industries.

High-profile cases have demonstrated the seriousness of these attacks. Former Amazon chief executive Jeff Bezos and Hanan Elatr, the wife of murdered Saudi dissident Jamal Khashoggi, were both compromised through Pegasus spyware developed by the NSO Group. These incidents illustrate how personal data can be accessed without user awareness.

Spyware activity remains concentrated within these circles, but researchers suggest its reach may be expanding. In early December, Google issued threat notifications and disclosed findings showing that an exploit chain had been used to silently install Predator spyware. Around the same time, the U.S. Cybersecurity and Infrastructure Security Agency warned that attackers were actively exploiting mobile messaging applications using commercial surveillance tools.

One of the most dangerous techniques involved is known as a zero-click attack. In such cases, a device can be infected without the user clicking a link, opening a message, or downloading a file. According to Malwarebytes researcher Pieter Arntz, once infected, attackers can read messages, track keystrokes, capture screenshots, monitor notifications, and access banking applications. Rocky Cole of iVerify adds that spyware can also extract emails and texts, steal credentials, send messages, and access cloud accounts.

Spyware may also spread through malicious links, fake applications, infected images, browser vulnerabilities, or harmful browser extensions. Recorded Future’s Richard LaTulip notes that recent research into malicious extensions shows how tools that appear harmless can function as surveillance mechanisms. These methods, often associated with nation-state actors, are designed to remain hidden and persistent.

Governments and spyware vendors frequently claim such tools are used only for law enforcement or national security. However, Amnesty International researcher Rebecca White states that journalists, activists, and others have been unlawfully targeted worldwide, using spyware as a method of repression. Thai activist Niraphorn Onnkhaow was targeted multiple times during pro-democracy protests between 2020 and 2021, eventually withdrawing from activism due to fears her data could be misused.

Detecting spyware is challenging. Devices may show subtle signs such as overheating, performance issues, or unexpected camera or microphone activation. Official threat alerts from Apple, Google, or Meta should be treated seriously. Leaked private information can also indicate compromise.

To reduce risk, Apple offers Lockdown Mode, which limits certain functions to reduce attack surfaces. Apple security executive Ivan Krstić states that widespread iPhone malware has not been observed outside mercenary spyware campaigns. Apple has also introduced Memory Integrity Enforcement, an always-on protection designed to block memory-based exploits.

Google provides Advanced Protection for Android, enhanced in Android 16 with intrusion logging, USB safeguards, and network restrictions.

Experts recommend avoiding unknown links, limiting app installations, keeping devices updated, avoiding sideloading, and restarting phones periodically. However, confirmed infections often require replacing the device entirely. Organizations such as Amnesty International, Access Now, and Reporters Without Borders offer assistance to individuals who believe they have been targeted.

Security specialists advise staying cautious without allowing fear to disrupt normal device use.

Read more »
Spyware
Android Cyber Phishing Financial Data iOS malware Personal Information Spyware

How To Tell If Spyware Is Hiding On Your Phone And What To Do About It

 



Your smartphone stores personal conversations, financial data, photos, and daily movements. This concentration of information makes it attractive to attackers who rely on spyware. Spyware is malicious software that pretends to be a useful app while silently collecting information. It can arrive through phishing messages, deceptive downloads, fake mobile tools, or through legitimate apps that receive harmful updates. Even monitoring tools designed for parents or employers can be misused to track someone without their knowledge.

Spyware exists in multiple forms. One common category is nuisanceware, which appears with legitimate apps and focuses on showing unwanted ads, altering browser settings, and gathering browsing data for advertisers. Although it does not usually damage the device, it still disrupts user activity and profits from forced ad interactions. Broader mobile spyware goes further by pulling system information, clipboard content, login credentials, and data linked to financial accounts. These threats rely on tricking users through harmful emails, unsafe attachments, social media links, fake text messages, or direct physical access.

A more aggressive class of spyware overlaps with stalkerware and can monitor nearly every action on a victim’s device. These tools read messages across different platforms, intercept calls, capture audio from the environment, trigger the camera, take screenshots, log keystrokes, track travel routes, and target social media platforms. They are widely associated with domestic abuse because they allow continuous surveillance of a person’s communication and location. At the highest end is commercial spyware sold to governments. Tools like Pegasus have been used against journalists, activists, and political opponents, although everyday users are rarely targeted due to the high cost of these operations.

There are several early signs of an attempted spyware install. Strange emails, unexpected social media messages, or SMS alerts urging you to click a link are often the first step. Attackers frequently use urgent language to pressure victims into downloading malicious files, including fake delivery notices or warnings framed as bank or tax office messages. Sometimes these messages appear to come from a trusted contact. Stalkerware may require physical access, which means a phone that briefly goes missing and returns with new settings or apps could have been tampered with.

Once spyware is installed, your phone may behave differently. Rapid battery drain, overheating, sudden reboots, location settings turning on without reason, or a sharp increase in mobile data use can indicate that data is being transmitted secretly. Some variants can subscribe victims to paid services or trigger unauthorized financial activity. Even harmless apps can turn malicious through updates, so new problems after installing an app deserve attention.

On Android devices, users can review settings that control installations from outside official stores. This option usually appears in Settings > Security > Allow unknown sources, although the exact location depends on the manufacturer. Another path to inspect is Apps > Menu > Special Access > Install unknown apps, which lists anything permitted to install packages. This check is not completely reliable because many spyware apps avoid appearing in the standard app view.

Some spyware hides behind generic names and icons to blend in with normal tools such as calculators, calendars, utilities, or currency converters. If an unfamiliar app shows up, running a quick search can help determine whether it belongs to legitimate software.

For iPhones that are not jailbroken, infection is generally harder unless attackers exploit a zero-day or an unpatched flaw. Risks increase when users delay firmware updates or do not run routine security scans. While both platforms can show signs of compromise, sophisticated spyware may remain silent.

Some advanced surveillance tools operate without leaving noticeable symptoms. These strains can disguise themselves as system services and limit resource use to avoid attention.

Removing spyware is challenging because these tools are designed to persist. Most infections can be removed, but some cases may require a full device reset or, in extreme scenarios, replacing the device. Stalkerware operators may also receive alerts when their access is disrupted, and a sudden halt in data flow can signal removal.

If removing spyware could put someone at physical risk, they should avoid tampering with the device and involve law enforcement or relevant support groups.

Several approaches can help remove mobile spyware:

1. Run a malware scan: Reputable mobile antivirus tools can detect many common spyware families, though they may miss advanced variants.

2. Use dedicated removal tools: Specialized spyware removal software can help, but it must only be downloaded from trusted sources to avoid further infection.

3. Remove suspicious apps: Reviewing installed applications and deleting anything unfamiliar or unused may eliminate threats.

4. Check device administrator settings: Spyware may grant itself administrator rights. If such apps cannot be removed normally, a factory reset might be necessary.

5. Boot into Safe Mode: Safe Mode disables third-party apps temporarily, making removal easier, though advanced spyware may still persist.

6. Update the operating system: Patches often close security gaps that spyware relies on.


After discovering suspicious activity, users should take additional security steps. First, change passwords and enable biometrics: Resetting passwords on a separate device and enabling biometric locks strengthens account and device security. Secondly, create a new email address: A private email account can help regain control of linked services without alerting a stalkerware operator.

Advanced, commercial spyware demands stronger precautions. Research-based recommendations include:

• Reboot the device daily to disrupt attacks that rely on temporary exploits.

• Disable iMessage and FaceTime on iOS, as they are frequent targets for exploitation.

• Use alternative browsers such as Firefox Focus or Tor Browser to reduce exposure from browser-based exploits.

• Use a trusted VPN and jailbreak detection tools to protect against network and system-level intrusion.

• Use a separate secure device like those running GrapheneOS for sensitive communication.

Reducing the risk of future infections requires consistent precautions:

• Maintain physical device security through PINs, patterns, or biometrics.

• Install system updates as soon as they are released.

• Run antivirus scans regularly.

• Avoid apps from unofficial sources.

• Enable built-in security scanners for new installations.

• Review app permissions routinely and remove intrusive apps.

• Be cautious of suspicious links.

• Avoid jailbreaking the device.

• Enable multi-factor authentication, keeping in mind that spyware may still capture some verification codes.



Read more »
Zero-Click Exploits
CISA advisory Mobile Security Spyware Zero-Click Exploits

Encrypted Chats Under Siege: Cyber-Mercenaries Target High-Profile Users

 

Encrypted Chats Under Siege Encrypted communication, once considered the final refuge for those seeking private dialogue, now faces a wave of targeted espionage campaigns that strike not at the encryption itself but at the fragile devices that carry it. Throughout this year, intelligence analysts and cybersecurity researchers have observed a striking escalation in operations using commercial spyware, deceptive app clones, and zero-interaction exploits to infiltrate platforms such as Signal and WhatsApp.
 
What is emerging is not a story of broken cryptographic protocols, but of adversaries who have learned to manipulate the ecosystem surrounding secure messaging, turning the endpoints themselves into compromised windows through which confidential conversations can be quietly observed.
  
The unfolding threat does not resemble the mass surveillance operations of previous decades. Instead, adversarial groups, ranging from state-aligned operators to profit-driven cyber-mercenaries, are launching surgical attacks against individuals whose communications carry strategic value.
 
High-ranking government functionaries, diplomats, military advisors, investigative journalists, and leaders of civil society organizations across the United States, Europe, the Middle East, and parts of Asia have found themselves increasingly within the crosshairs of these clandestine campaigns.
 
The intent, investigators say, is rarely broad data collection. Rather, the aim is account takeover, message interception, and long-term device persistence that lays the groundwork for deeper espionage efforts.
 

How Attackers Are Breaching Encrypted Platforms

 
At the center of these intrusions is a shift in methodology: instead of attempting to crack sophisticated encryption, threat actors compromise the applications and operating systems that enable it. Across multiple investigations, researchers have uncovered operations that rely on:
 
1. Exploiting Trusted Features
 
Russia-aligned operators have repeatedly abused the device-linking capabilities of messaging platforms, persuading victims—via social engineering—to scan malicious connection requests. This enables a stealthy secondary device to be linked to a target’s account, giving attackers real-time access without altering the encryption layer itself.
 
2. Deploying Zero-Interaction Exploits
 
Several campaigns emerged this year in which attackers weaponized vulnerabilities that required no user action at all. Specially crafted media files sent via messaging apps, or exploit chains triggered upon receipt, allowed silent compromise of devices, particularly on Android models widely used in conflict-prone regions.
 
3. Distributing Counterfeit Applications
 
Clone apps impersonating popular platforms have proliferated across unofficial channels, especially in parts of the Middle East and South Asia. These imitations often mimic user interfaces with uncanny accuracy while embedding spyware capable of harvesting chats, recordings, contact lists, and stored files.
 
4. Leveraging Commercial Spyware and “Cyber-For-Hire” Tools
 
Commercial surveillance products, traditionally marketed to law enforcement or intelligence agencies, continue to spill into the underground economy. Once deployed, these tools often serve as an entry point for further exploitation, allowing attackers to drop additional payloads, manipulate settings, or modify authentication tokens.
 

Why Encrypted Platforms Are Under Unprecedented Attack

 
Analysts suggest that encrypted applications have become the new battleground for geopolitical intelligence. Their rising adoption by policymakers, activists, and diplomats has elevated them from personal communication tools to repositories of sensitive, sometimes world-shaping information.
 
Because the cryptographic foundations remain resilient, adversaries have pivoted toward undermining the assumptions around secure communication—namely, that the device you hold in your hand is trustworthy. In reality, attackers are increasingly proving that even the strongest encryption is powerless if the endpoint is already compromised.
  
Across the world, governments are imposing stricter regulations on spyware vendors and reassessing the presence of encrypted apps on official devices. Several legislative bodies have either limited or outright banned certain messaging platforms in response to the increasing frequency of targeted exploits.
 
Experts warn that the rise of commercialized cyber-operations, where tools once reserved for state intelligence now circulate endlessly between contractors, mercenaries, and hostile groups, signals a long-term shift in digital espionage strategy rather than a temporary spike.
 

What High-Risk Users Must Do

 
Security specialists emphasize that individuals operating in sensitive fields cannot rely on everyday digital hygiene alone. Enhanced practices, such as hardware isolation, phishing-resistant authentication, rigid permission control, and using only trusted app repositories, are rapidly becoming baseline requirements.
 
Some also recommend adopting hardened device modes, performing frequent integrity checks, and treating unexpected prompts (including QR-code requests) as potential attack vectors.
Read more »
Spyware
Android Security Data Theft malware Payment Faud Spyware

Android Malware Hits 42 Million Downloads, Risking Mobile Payments

 

Android malware is surging globally, with attackers increasingly targeting mobile payments and IoT devices, exposing critical vulnerabilities in systems heavily relied upon for communication, work, and financial activity. 

Recent findings from Zscaler indicate that 239 malicious Android apps were discovered on Google Play, amassing a staggering 42 million downloads, mainly by users seeking productivity and workflow solutions trusted in hybrid work settings. This reflects a pronounced shift away from traditional card-based fraud toward abuse of mobile payment channels using various social engineering tactics—such as phishing, smishing, and SIM-swapping.

Mobile compromise incidents are escalating rapidly, highlighted by a 67% year-over-year spike in Android malware transactions. Spyware, banking trojans, and adware are the dominant threats, with adware constituting 69% of all malware detections, indicating evolving monetization strategies among cybercriminals while the notorious 'Joker' family has sharply declined to only 23% of activity. The report outlines a trend of attackers focusing on high-value sectors, with the energy industry experiencing a dramatic 387% increase in attack attempts compared to the previous year.

IoT environments remain highly vulnerable, particularly in manufacturing and transportation, which saw over 40% of IoT-related malware activity. IoT attacks are primarily driven by botnet malware families such as Mirai, Mozi, and Gafgyt—collectively responsible for about 75% of observed malicious payloads within this space. Routers, in particular, are heavily targeted, making up 75% of all IoT attacks, as attackers use them for botnet building and proxy networks.

Geographically, India is the prime target for mobile malware, receiving 26% of analyzed attacks, followed by the United States (15%) and Canada (14%). In IoT, the United States is most affected, seeing 54.1% of all malicious traffic. Certain threats like the Android Void backdoor have infected at least 1.6 million Android TV boxes, mostly in India and Brazil, exposing the dangers linked to widespread use of inexpensive devices and outdated software. Malware families like Anatsa and Xnotice continue to refine tactics for financial theft and regional targeting.

To defend against these threats, experts recommend maintaining regularly updated devices, using reputable antivirus apps, enabling ransomware protection, limiting unnecessary app installations, scrutinizing permissions, running frequent malware scans, and utilizing Google Play Protect. The article stresses the need for a "zero trust everywhere" approach combined with AI-driven threat detection to counter the evolving cyber landscape.
Read more »
User Data
Landfall malware Samsung Spyware User Data

Landfall Spyware Exploited a Samsung Image Flaw to Secretly Target Users For Nearly a Year




Security specialists at Palo Alto Networks’ Unit 42 have uncovered a complex spyware tool named Landfall that silently infiltrated certain Samsung Galaxy phones for close to a year. The operation relied on a serious flaw in Samsung’s Android image-processing system, which allowed the device to be compromised without the user tapping or opening anything on their screen.

Unit 42 traces the campaign back to July 2024. The underlying bug was later assigned CVE-2025-21042, and Samsung addressed it in a security update released in April 2025. The details of how attackers used the flaw became public only recently, after researchers completed their investigation.

The team emphasizes that even users who browsed risky websites or received suspicious files during that period likely avoided infection. Evidence suggests the operation was highly selective, targeting only specific individuals or groups rather than the general public. Based on submitted samples, the activity was concentrated in parts of the Middle East, including Iraq, Iran, Turkey, and Morocco. Who controlled Landfall remains unknown.

The researchers discovered the spyware while examining earlier zero-click bugs affecting Apple iOS and WhatsApp. Those unrelated flaws showed how attackers could trigger remote code execution by exploiting image-handling weaknesses. This motivated Unit 42 to search for similar risks affecting Android devices. During this process, they found several suspicious files uploaded to VirusTotal that ultimately revealed the Landfall attack chain.

At the center of this operation were manipulated DNG image files. DNG is a raw picture format built on the TIFF standard and is normally harmless. In this case, however, the attackers altered the files so they carried compressed ZIP archives containing malicious components. The image-processing library in Samsung devices had a defect that caused the system to extract and run the embedded code automatically while preparing the image preview. This made the threat a true zero-click exploit because no user action was required for infection.

Once the malware launched, it attempted to rewrite parts of the device’s SELinux security policy. This gave the operators broad system access and made the spyware harder to detect or remove. According to Unit 42, the files appeared to have been delivered through messaging platforms like WhatsApp, disguised as regular images. Code inside the samples referenced models such as the Galaxy S22, S23, S24, Z Flip 4, and Z Fold 4. Samsung believes the vulnerability existed across devices running Android 13, 14, and 15.

After installation, Landfall could gather extensive personal information. It could transmit hardware identifiers, lists of installed apps, contacts, browsing activity, and stored files. It also had the technical ability to activate the device’s microphone or camera for surveillance. The spyware included multiple features to avoid detection, meaning that fully removing it would require deep device repairs or resets.

Unit 42 noted similarities between Landfall’s design and advanced commercial spyware used by major surveillance vendors, but they did not identify any company or group responsible. Although Samsung has already released a fix, attackers could reuse this method on devices that have not installed the April 2025 update or later. Users are urged to check their security patch level to remain protected.


Read more »
Spyware
AI Android Data Internet malware Pegasus Spyware

How Spyware Steals Your Data Without You Knowing About It


You might not be aware that your smartphone has spyware, which poses a risk to your privacy and personal security. However, what exactly is spyware? 

This type of malware, often presented as a trustworthy mobile application, has the potential to steal your data, track your whereabouts, record conversations, monitor your social media activity, take screenshots of your activities, and more. Phishing, a phony mobile application, or a once-reliable software that was upgraded over the air to become an information thief are some of the ways it could end up on your phone.

Types of malware

Legitimate apps are frequently packaged with nuisanceware. It modifies your homepage or search engine settings, interrupts your web browsing with pop-ups, and may collect your browsing information to sell to networks and advertising agencies.

Nuisanceware

Nuisanceware is typically not harmful or a threat to your fundamental security, despite being seen as malvertising. Rather, many malware packages focus on generating revenue by persuading users to view or click on advertisements.

Generic mobile spyware

Additionally, there is generic mobile spyware. These types of malware collect information from the operating system and clipboard in addition to potentially valuable items like account credentials or bitcoin wallet data. Spray-and-pray phishing attempts may employ spyware, which isn't always targeted.

Stalkerware

Compared to simple spyware, advanced spyware is sometimes also referred to as stalkerware. This spyware, which is unethical and frequently harmful, can occasionally be found on desktop computers but is becoming more frequently installed on phones.

The infamous Pegasus

Lastly, there is commercial spyware of governmental quality. One of the most popular variations is Pegasus, which is sold to governments as a weapon for law enforcement and counterterrorism. 

Pegasus was discovered on smartphones owned by lawyers, journalists, activists, and political dissidents. Commercial-grade malware is unlikely to affect you unless you belong to a group that governments with ethical dilemmas are particularly interested in. This is because commercial-grade spyware is expensive and requires careful victim selection and targeting.

How to know if spyware is on your phone?

There are signs that you may be the target of a spyware or stalkerware operator.

Receiving strange or unexpected emails or messages on social media could be a sign of a spyware infection attempt. You should remove these without downloading any files or clicking any links.

Read more »
Spyware
Hacking WhatsApp Litigation Mobile Security NSO Pegasus Spyware

US Judge Permanently Bans NSO Group from Targeting WhatsApp Users

 

A U.S. federal judge has issued a permanent injunction barring Israeli spyware maker NSO Group from targeting WhatsApp users with its notorious Pegasus spyware, marking a landmark victory for Meta following years of litigation. 

The decision, handed down by Judge Phyllis J. Hamilton in the Northern District of California, concludes a legal battle that began in 2019, when Meta (the parent company of WhatsApp) sued NSO after discovering that about 1,400 users—including journalists, human rights activists, lawyers, political dissidents, diplomats, and government officials—had been surreptitiously targeted through “zero-click” Pegasus exploits.

The court found that NSO had reverse-engineered WhatsApp’s code and repeatedly updated its spyware to evade detection and security fixes, causing what the judge described as “irreparable harm” and undermining WhatsApp’s core promise of privacy and end-to-end encryption. The injunction prohibits NSO not only from targeting WhatsApp users but also from accessing or assisting others in accessing WhatsApp’s infrastructure, and further requires NSO to erase any data gathered from targeted users.

This victory for Meta was significant, but the court also reduced the previously awarded damages from $168 million to just $4 million, finding the original punitive sum excessive despite NSO’s egregious conduct. Nevertheless, the ruling sets a precedent for how U.S. tech companies can use the courts to combat mercenary spyware operations and commercial surveillance firms that compromise user privacy.

NSO Group argued that the permanent ban could “drive the company out of business,” pointing out that Pegasus is its flagship product used by governments ostensibly for fighting crime and terrorism. An NSO spokesperson claimed the ruling would not impact existing government customers, but Meta and digital rights advocates insist this bans NSO from ever targeting WhatsApp and holds them accountable for civil society surveillance.

The case highlights the ongoing tension between tech giants and commercial spyware vendors and signals a new willingness by courts to intervene to protect user privacy against advanced cyber-surveillance tools.
Read more »
zero-click
AI Cloud Data Internet Spyware Technology zero-click

Zero-click Exploit AI Flaws to Hack Systems


What if machines, not humans, become the centre of cyber-warfare? Imagine if your device could be hijacked without you opening any link, downloading a file, or knowing the hack happened? This is a real threat called zero-click attacks, a covert and dangerous type of cyber attack that abuses software bugs to hack systems without user interaction. 

The threat

These attacks have used spywares such as Pegasus and AI-driven EchoLeak, and shown their power to attack millions of systems, compromise critical devices, and steal sensitive information. With the surge of AI agents, the risk is high now. The AI-driven streamlining of work and risen productivity has become a lucrative target for exploitation, increasing the scale and attack tactics of breaches.

IBM technology explained how the combination of AI systems and zero-click flaws has reshaped the cybersecurity landscape. “Cybercriminals are increasingly adopting stealthy tactics and prioritizing data theft over encryption and exploiting identities at scale. A surge in phishing emails delivering infostealer malware and credential phishing is fueling this trend—and may be attributed to attackers leveraging AI to scale distribution,” said the IBM report.

A few risks of autonomous AI are highlighted, such as:

  • Threat of prompt injection 
  • Need for an AI firewall
  • Gaps in addressing the challenges due to AI-driven tech

About Zero-click attacks

These attacks do not need user interaction, unlike traditional cyberattacks that relied on social engineering campaigns or phishing attacks. Zero-click attacks exploit flaws in communication or software protocols to gain unauthorized entry into systems.  

Echoleak: An AI-based attack that modifies AI systems to hack sensitive information.

Stagefright: A flaw in Android devices that allows hackers to install malicious code via multimedia messages (MMS), hacking millions of devices.

Pegasus: A spyware that hacks devices through apps such as iMessage and WhatsApp, it conducts surveillance, can gain unauthorized access to sensitive data, and facilitate data theft as well.

How to stay safe?

According to IBM, “Despite the magnitude of these challenges, we found that most organizations still don’t have a cyber crisis plan or playbooks for scenarios that require swift responses.” To stay safe, IBM suggests “quick, decisive action to counteract the faster pace with which threat actors, increasingly aided by AI, conduct attacks, exfiltrate data, and exploit vulnerabilities.”

Read more »
Subscribe to: Comments (Atom)