Google has updated Android’s distribution numbers again, this time revealing that Android 16 is already on 7.5% of devices, with...

AI Hub Hijacked: Polymorphic Android RAT Abuses Hugging Face to Steal Data In a troubling convergence of trusted developer infrastructure and cybercrime, Bitdefender researchers have uncovered a sophisticated Android Remote Access Trojan (RAT) campaign that is turning the po ... Read more Published Date: Feb 04, 2026 (1 hour, 7 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-25137 CVE-2026-24858 CVE-2026-21509 CVE-2026-20045 CVE-2024-43093

A dangerous banking malware called Anatsa has been discovered spreading through the Google Play Store, reaching more than fifty thousand downloads before detection. The malicious application was cleverly hidden as a document reader, making it appear harmless to unsuspecting users searching for legitimate file management tools. This discovery highlights how cybercriminals continue to exploit official app stores as distribution channels for sophisticated financial threats targeting Android users worldwide. The Anatsa banking trojan is particularly concerning because it specifically targets banking credentials and sensitive financial information from infected devices. The malware operates as an installer that downloads and deploys the full Anatsa banking trojan payload once the initial application gains access to a device. Users who downloaded and installed this fake document reader application unknowingly gave the malware permission to operate with elevated access, creating a gateway for financial theft and personal data extraction . The distribution method through Google’s official marketplace made this attack particularly effective, as users typically trust applications found on authorized platforms. This represents a significant breach in app store security screening processes, demonstrating how malicious developers continue to evade detection systems. Zscaler ThreatLabz analysts identified this malicious application and immediately began tracking its distribution network and associated command-and-control infrastructure. The security researchers confirmed the malware’s connection to banking theft operations and provided detailed technical indicators to help other security teams detect infected devices. ThreatLabz has identified another malicious app on the Google Play Store disguised as a document reader. The app currently has over 50K downloads and serves as an installer for the Anatsa banking trojan. IOCs below: Google Play URL:… pic.twitter.com/fAuREdKiQF — Zscaler ThreatLabz (@Threatlabz) February 2, 2026 Their investigation revealed the attack chain and documented how the malware communicates with external servers to receive commands and exfiltrate stolen banking information. Analyzing the Malware’s Infection and Communication Mechanism Understanding how Anatsa establishes persistence on infected Android devices is crucial for users and security professionals seeking to prevent compromise. Once installed, the banking trojan integrates itself into the operating system and actively monitors user activity, particularly focusing on banking application interactions. When users open their banking applications or enter financial credentials, the malware captures this sensitive information through overlay attacks and credential logging techniques. The malware then communicates with command-and-control servers located at specific IP addresses, transmitting stolen banking details directly to threat actors. This direct connection to attacker-controlled infrastructure means compromised devices remain under active threat actor control, continuously feeding banking information and session tokens to criminal operations. Security researchers recommend users immediately remove any suspicious document reader applications, verify app authenticity through official channels, and enable multi-factor authentication on all banking accounts to mitigate potential compromise risks. Follow us on  Google News ,  LinkedIn , and  X  to Get More Instant Updates ,  Set CSN as a Preferred Source in  Google . The post Malicious App on The Google Play with 50K+ Downloads Deploy Anatsa Banking Malware appeared first on Cyber Security News .

How to safely use Android devices in the face of 2026's new security threats

A dangerous Android malware campaign has emerged, targeting users through mobile games and pirated streaming app modifications. The threat, known as Android.Phantom, employs machine learning technology to perform automated ad-click fraud on infected smartphones. Over 155,000 downloads of compromised games have been recorded, with additional infections spreading through modified versions of Spotify, YouTube, Netflix, and Deezer across unofficial platforms. Spotify Plus website (Source – Dr.Web) The malware propagates through several channels, including the official GetApps store for Xiaomi devices, where six infected games from developer SHENZHEN RUIREN NETWORK CO., LTD. were discovered. These apps initially launched without malicious code, but updates released in late September introduced the Android.Phantom trojan. GetApps distributing Trojans (Source – Dr.Web) Distribution extends beyond official stores to dedicated modding websites, Telegram channels attracting tens of thousands of subscribers, and Discord servers where administrators actively promote infected downloads. Dr.Web researchers noted that Android.Phantom operates using two distinct modes called phantom and signaling. The malware connects to attacker-controlled command servers that dictate its behavior patterns. Its sophisticated design incorporates TensorFlowJS, a machine learning framework that enables intelligent identification and automated clicking of advertising elements displayed within hidden browsers running on infected devices. The threat consists of multiple interconnected components. Android.Phantom.2.origin serves as the primary variant, later enhanced by Android.Phantom.5, which functions as a dropper delivering remote code loaders. These loaders retrieve additional click-fraud modules designed for specific advertising platforms. How the Machine Learning Attack Works The phantom mode represents the malware’s most advanced capability, utilizing artificial intelligence for fraudulent ad interactions. Android.Phantom.2.origin deploys a hidden browser based on WebView widget technology, loading target websites as directed by command servers. Spotify X with approximately 24,000 subscribers (Source – Dr.Web) The malware then injects JavaScript automation scripts alongside the TensorFlowJS framework. An AI model downloaded from external servers analyzes webpage screenshots captured from a virtual screen, identifying clickable advertisement components. This intelligent approach mimics genuine user behavior, making fraudulent clicks harder for advertising networks to detect compared to basic automated scripts. Follow us on  Google News ,  LinkedIn , and  X  to Get More Instant Updates ,  Set CSN as a Preferred Source in  Google . The post New AI-Android Malware that Auto Clicks Ads from the Infected Devices appeared first on Cyber Security News .

Every decade brings new promises: this time, we'll finally make software development simple enough that we won't need so many developers. From COBOL to AI, the pattern repeats. Business leaders gro...

Introduction Hello, I’m RyotaK (@ryotkak ), a security engineer at GMO Flatt Security Inc. A few months ago, I came across an interesting behavior while using Claude Code—it executed a command without my approval. Since I wasn’t using the permission bypass mode, I decided to investigate further to understand why it was able to execute commands without explicit approval. TL;DR I discovered 8 ways to execute arbitrary commands in Claude Code without user approval.

Apple has confirmed active exploitation, but full protections are limited to iPhones running iOS 26+ (yes, the one with Liquid Glass).

The new regulations will directly impact jailbroken iPhones and imported Android phones that have been tampered with to install Vietnamese language support or remove unwanted apps.

Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

Threat actors are abusing the legitimate device-linking feature to hijack WhatsApp accounts via pairing codes in a campaign dubbed GhostPairing.

The remote access Trojan lets an attacker remotely control a victim's phone and can generate malicious apps from inside the Play Store.

A new Android malware called DroidLock has emerged with capabilities to lock screens for ransom payments, erase data, access text messages, call logs, contacts, and audio data.

Google has released the December 2025 Android security bulletin, addressing 107 vulnerabilities, including two flaws actively exploited in targeted attacks.