In case you weren’t aware, Apple devices around you are constantly scanning for AirTags. Now, imagine you’re carrying your laptop around – no WiFi connectivity, but BLE’s on as usual, and there’s a little bit of hostile code running at user privileges, say, a third-party app. Turns out, it’d be possible to make your laptop or phone pretend to be a lost AirTag – making it and you trackable whenever an iPhone is around.

Thenroottag website isn’t big on details, but the paper ought to detail more; the hack does require a bit of GPU firepower, but nothing too out of the ordinary. The specific vulnerabilities making this possible have been patched in newer iOS and MacOS versions, but it’s still possible to pull off as long as an outdated-firmware Apple device is nearby!

Of course, local code execution is often considered a game over, but it’s pretty funny that you can do this while making use of the Apple AirTag infrastructure, relatively unprivileged, and, exfiltrate location data without any data connectivity whatsoever, all as long as an iPhone is nearby. You might also be able to exflitrate other data, for what it’s worth – here’s how you can use AirTag infrastructure to track new letter arrivals in your mailbox!

hackaday.com/2025/03/03/hijack…

Want to make your own air knife to cut things with? Unfortunately that’s not what these devices are intended for, but [This Old Tony] will show you how to make your own, while explaining what they are generally intended for. His version deviates from the commercial version which he got his hands on in that he makes a round version instead of the straight one, but the concept is the same.

In short, an air knife is a laminar pressurized airflow device that provides a very strong and narrow air pattern, using either compressed air or that from a blower. Generally air knives will use the Coandă effect to keep the laminar flow attached to the device for as long as possible to multiply the air pressure above that from the laminar flow from the air knife itself. These are commonly used for cleaning debris and dust off surfaces in e.g. production lines.

As [Tony] shows in the disassembly of a commercial device, they are quite basic, with just two aluminium plates and a thin shim that creates the narrow opening through which the air can escape. The keyword here is ‘thin shim’, as [Tony] discovers that even a paper shim is too thick already. Amusingly, although he makes a working round air knife this way, it turns out that these are generally called an air amplifier, such as those from Exair and are often used for cooling and ventilation, with some having an adjustable opening to adjust the resulting airflow.

Some may recognize this principle for those fancy ‘bladeless’ fans that companies like Dyson sell, as they use essentially the same principle, just with a fan providing the pressure rather than a compressor.

youtube.com/embed/-lkgAYe-8_s?…

hackaday.com/2025/03/03/make-y…

Some of our devices look like they’re straight out of hacker movies. For instance, how about a small board you plant behind an RFID reader, collecting access card data and then replaying it when you next walk up the door? [Jakub Kramarz] brings us perhaps the best design on the DIY market, called The Tick – simple, flexible, cheap, tiny, and fully open-source.

Take off the reader, tap into the relevant wires and power pins (up to 25V input), and just leave the board there. It can do BLE or WiFi – over WiFi, you get a nice web UI showing you the data collected so far, and letting you send arbitrary data. It can do Wiegand like quite a few open-source projects, but it can also do arbitrary clock+data protocols, plus you can just wire it up quickly, and it will figure out the encoding.

We could imagine such a board inside a Cyberpunk DnD rulebook or used in Mr Robot as a plot point, except that this one is real and you can use it today for red teaming and security purposes. Not to say all applications would be NSA-catalog-adjacent pentesting – you could use such a bug to reverse-engineer your own garage door opener, for one.

hackaday.com/2025/03/03/heres-…

A team from the University of Chicago brings us a new spin on sensory substitution, the “Seeing with the Hands” project, turning external environment input into sensations. Here specifically, the focus is on substituting vision into hand sensations, aimed at blind and vision disabled. The prototype is quite inspiration-worthy!

On the input side, we have a wrist-mounted camera, sprinkled with a healthy amount of image processing, of course. As for the output, no vibromotors or actuators are in use – instead, tactile receptors are stimulated by passing small amounts of current through your skin, triggering your touch receptors electrically. An 8×8 array of such “tactile” pixels is placed on the back of the hand and fingers. The examples provided show it to be a decent substitution.

This technique depends on the type of image processing being used, as well as the “resolution” of the pixels, but it’s a fun concept nevertheless, and the study preprint has some great stories to tell. This one’s far from the first sensory substitution devices we’ve covered, though, as quite a few of them were mechanical in nature – the less moving parts, the better, we reckon!

hackaday.com/2025/03/03/sensor…

Il servizio di monitoraggio della fuga di dati e del darknet russo DLBI, ha pubblicato i risultati di uno studio annuale sulle password più diffuse tra gli utenti di Internet. L’analisi ha esaminato 6,1 miliardi di account univoci, che includevano combinazioni di e-mail e password. Di questi, 581 milioni di record erano nuovi e derivanti da violazioni dei dati avvenute nel 2024.

La ricerca si è basata su informazioni provenienti da diverse fonti, tra cui comunità specializzate nel recupero password come hashmob.net, forum underground e canali Telegram in cui vengono pubblicate pubblicamente fughe di notizie di massa.

Durante l’analisi, gli specialisti DLBI hanno ripulito i dati da “spazzatura” (voci vuote e duplicate), identificato e squalificato le password generate automaticamente (quelle impostate non dagli utenti, ma dai servizi stessi) e anche eliminato in massa i dati dalle registrazioni automatiche (quando gli account su un particolare servizio vengono creati da bot).

Al momento dello studio, il database delle password conteneva:

• 6.096.942.482 password (nel 2023 – 5.515.274.144);
• 1.002.356.792 password composte solo da numeri (nel 2023 – 936.807.451);
• 1.475.931.700 password che includono solo lettere (nel 2023 – 1.411.851.189);
• 338.243.604 password contenenti lettere, numeri e caratteri speciali (nel 2023 – 206.838.387);
• 4.042.522.694 password con una lunghezza pari o superiore a otto caratteri (nel 2023 – 3.564.893.775);
• 1.122.100.566 password più lunghe di dieci caratteri (nel 2023 – 915.865.308);
• 1.257.043.342 password lunghe meno di sette caratteri (nel 2023 – 1.184.534.934).

La classifica delle 25 password più diffuse non è cambiata durante l’intero periodo di ricerca. Tra questi ci sono “123456”, “123456789”, “qwerty123”, “12345”, “qwerty”, “qwerty1”, “password”, “12345678”, “111111” e “1q2w3e”.

Tuttavia, l’elenco delle password più diffuse trapelate nel 2024 differisce dalla classifica generale. Tra i primi dieci più comuni troviamo:

1. “123456” (leadership mantenuta);
2. “12345678” (in crescita rispetto al quarto posto del 2023);
3. “123456789” (sceso dal secondo posto nel 2023);
4. “Password” (novità nella classifica);
5. “1234” (nuova password);
6. “12345” (ha mantenuto la quinta posizione nel 2023);
7. “1234567890” (rimasto al settimo posto);
8. “1234567” (nuova password);
9. “password” (nuova password);
10. “102030” (nuova password).

Tuttavia, si sono riscontrati notevoli cambiamenti tra le password trapelate nel 2024. I primi 10 includevano:

1. “123456” (rimasto al primo posto);
2. “1221123456” (nuova password);
3. “12345” (in crescita rispetto al quinto posto del 2023);
4. “12345678” (occupava la quarta posizione);
5. “123456789” (nuova password);
6. “123” (nuova password);
7. “1234” (nuova password);
8. “qwerty” (ha mantenuto l’ottavo posto nel 2023);
9. “1234567890” (classificato al decimo posto nel 2023);
10. “1234567” (nuova password).

Inoltre, lo studio ha incluso un’analisi delle password cirilliche. I più popolari sono rimasti invariati durante l’intero periodo di ricerca: “ytsuken”, “password”, “love”, “hello”, “natasha”, “maxim”, “marina”, “love”, “andrey” e “kristina”. La classifica delle password cirilliche trapelate nel 2024 includeva:

1. “Ytsuken” (ha mantenuto il primo posto);
2. “password” (spostato dal terzo posto);
3. “rendezvous” (nuova password);
4. “Ciao” (salito dal sesto posto);
5. “123°” (risalito dal settimo posto);
6. “Password” (nuova password);
7. “Marina” (rimasta all’ottava posizione);
8. “1234йцук” (nuova password);
9. “1й2ц3у4к” (nuova password);
10. “12345йцке” (nuova password).

DLBI ha osservato che nel 2024 la società ha analizzato 6,7 miliardi di nuovi account non univoci, corrispondenti a 581 milioni di account univoci, mentre l’anno scorso è riuscita ad analizzare solo 200 milioni di account non univoci (44 milioni di account univoci).

Gli esperti dell’azienda sottolineano che l’aumento del numero di fughe di dati è legato sia alla crescita complessiva dei loro volumi, sia allo sviluppo del mercato dei cosiddetti “infostealer”, programmi progettati per rubare le password salvate dagli utenti. Questi dati vengono poi venduti o resi pubblici. In precedenza, tali programmi non venivano utilizzati nel segmento russo della rete, ma con l’inizio del conflitto informatico con gli hacktivisti ucraini, hanno iniziato a essere ampiamente utilizzati per attacchi agli utenti finali.

Un’altra tendenza, secondo gli esperti, è la semplificazione delle password e la riduzione della percentuale di combinazioni contenenti lettere. La presenza di password rubate, ottenute tramite “stealer”, indica problemi di sicurezza più gravi di quanto si pensasse in precedenza.

L'articolo Se la tua Password è “123456”, Cambia lavoro! Ecco una nuova lista delle più hackerate! proviene da il blog della sicurezza informatica.

Join us on Wednesday, March 5 at noon Pacific for the Deep Space DX Hack Chat with David Prutchi!

In the past 70-odd years, the world’s space-faring nations have flung a considerable amount of hardware out into the Void. Most of it has fallen back into Earth’s gravity well, and a lot of what remains is long past its best-by date, systems silenced by time and the harsh conditions that rendered these jewels of engineering into little more than space flotsam.

Luckily, though, there are still a few spacecraft plying the lonely spaces between the planets and even beyond that still have active radios, and while their signals may be faint, we can still hear them. True, many of them are reachable only using immense dish antennas.

Not every deep-space probe needs the resources of a nation-state to be snooped on, though. David Prutchi has been listening to them for years using a relatively modest backyard antenna farm and a lot of hard-won experience. He’s been able to bag some serious DX, everything from rovers on Mars to probes orbiting Jupiter. If you’ve ever wanted to give deep space DX a try, here’s your chance to get off on the right foot.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, March 5 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.

hackaday.com/2025/03/03/deep-s…

The 12VHPWR connector is a hot topic once again – Nvidia has really let us down on this one. New 5080 and 500 GPUs come with this connector, and they’re once again fire-prone. Well, what if you’re stuck with a newly-built 5080, unwilling to give it up, still hoping to play the newest games or run LLMs locally? [Timo Birnschein] has a simple watchdog solution for you, and it’s super easy to build.

All it takes is an Arduino, three resistors, and three thermistors. Place the thermistors onto the connector’s problematic spots, download the companion software from GitHub, and plug the Arduino into your PC. If a temperature anomaly is detected, like one of the thermistors approaching 100C, the Arduino will simply shut down your PC. The software also includes a tray icon, temperature graphing, and stability features. All is open-source — breadboard it, flash it. You can even add more thermistors to the mix if you’d like!

This hack certainly doesn’t just help protect you from Nvidia’s latest creation – it can help you watch over any sort of potentially hot mod, and it’s very easy to build. Want to watch over connectors on your 3D printer? Build one of these! We’ve seen 12VHPWR have plenty of problems in the past on Nvidia’s cards – it looks like there are quite a few lessons Nvidia is yet to learn.

hackaday.com/2025/03/03/12vhpw…

Have you been to FOSDEM? It’s a yearly two-day megaconference in Brussels, every first weekend of February. Thousands of software and hardware hackers from all across Europe come here each year, make friends, talk software and hardware alike, hold project-specific meetups to drink beer and talk shop, and just have a fun weekend surrounded by like-minded people.

In particular, FOSDEM has free admission – drop by for the weekend, no need to buy entry tickets, just sort out your accomodation, food, travel, and visit for a day or two. I’ve covered FOSDEM quite extensively in 2023, so if you want to know more about how it works, I invite you to check out that article – plenty of stories, cool facts about FOSDEM, showcases, and so on. This year, I’ve also been to FOSDEM, it’s been pretty great, and I’d like to tell you about cool things I’ve seen happen during FOSDEM 2025.

FOSDEM is often described as an open software conference, and you might’ve had been fooled by this if you simply have checked the Wikipedia page. However, let me assure you – there’s always plenty of hardware, large amounts of it! This year, I feel like hardware has taken the spotlight in particular – let me show you at least some of it, so that you know what kinds of cool stuff you can expect and plan for in 2026.

Even Software Was Hardware

Really, the kinds of software FOSDEM hosts, can’t exist without a healthy dose of hardware. Yes, there was no shortage of purely software-specific stands – if you wanted a Debian t-shirt, some Fedora or Jenkins stickers, or a selfie with the Postgresql elephant, they were always at an arm’s reach. Pure software was a surprisingly small part of FOSDEM this year, and I have some theories about it.

This year, it felt like half of all stands were hardware-based, hardware-related, or hardware-dependent in one way or another. First off, of course, hardware is flashy, it makes for effective demos. For instance, if you wanted to drop by, you’d find a Jenkins cluster running on a gaggle of SBCs mounted to a 3D-printed frame – a new and vastly improved build from the version we’ve covered in 2023!

A number of project stands – PostmarketOS, CalyxOS, FuriLabs, – had desks full of smartphones demoing their phone OS offerings. You’d see SteamDecks being used as software demo machines, the FreeCAD table had a laptop running the newest FreeCAD install you could poke and probe (with even a surprise MNT Reform appearance), SBCs common and obscure running demo playback and presentations – making the software world tangible.

Really, if you’re demoing an open-source smart home system, like OpenHAB did, what’s better than bringing a smart-home-in-a-briefcase? And if you’re bringing an open-source game engine, what’s better than demoing it on a SteamDeck? Software has the disadvantage of being quite intangible, and hardware “grounds” it enough that anyone can interact it, conveying code as colours, shapes, and objects in the real world – which is perfect if what you’re starting with is a Git repository, and what you need to create is a conference table people would be interested in.

And Hardware Was Extra Hardware

Of course, we’ve met the usual open-source suspects of the hardware world, too. KiCad and FreeCAD split a table this year. They had logos familiar enough to the crowd that they really didn’t need extra hardware to stand out – instead, they brought merch and stickers. Nevertheless, on the FreeCAD-KiCad split of the table, you’d find a guest exhibit from the Libre Space Foundation, a model of the Picobus V2 satellite launching system, which was incidentally designed with help of both FreeCAD and KiCad.

Next to them, you’d find MicroPython, Espruino, and TinyGo, all promoting high-level languages for microcontrollers, for those of us unemburdened by obligations of memory safety and static typing. In the H building, OpenFlexure had a desk all to themselves, and a Prusa printer was helping them crank out designs to be immediately demoed. Sadly, this year, Pine64 stand was missing – but Pine64 folks could still be found around!

One thing you’d see a ton this year? LoRa, in all forms. Of course, there was the Meshtastic table, with plenty of stickers and demo devices alike, but you’d also regularly find LoRa-equipped devices on tables. This wasn’t the only form of wireless tech, either – the AW building had desks with SDR setups, plenty of HAM tech, and outside on the grass, a group of hackers with radio equipment and a dish antenna setup.

I’ve seen a couple tables being crashed with cool tech, too! For instance, you could meet [arturo182] and his creations (including a hacker-friendly keyboard module series) on Saturday in the AW building, taking up part of the TinyGo table – not scheduled, but definitely most welcome! On one of the desks in the K building, you could find two MNT Reform demo units, one full-sized and one Pocket, on the Genode table – unsurprisingly, there was always a crowd around that table, so if you didn’t notice it, that’s why!

One more recommendation, which doesn’t apply just to FOSDEM – you might want to get a FOSSAsia LED matrix name badge. Nowadays, I tend to go to events in friend groups, and I’ve been surprised how many my friends have gotten themselves the FOSSAsia name badges – the FOSSAsia community is a mainstay at tech events in Europe, so if you’re visiting one and you see these badges around, just look for the FOSSAsia desk to get one. These badges are respectably flashy — you pick the colour! — great for meeting new people in the crowds, and quite cheap! I’ve also learned that FOSSAsia have been improving the badge’s firmware over the years – as far as I can tell, if you’ve ever bought a nametag from FOSSAsia, simply update its firmware with help of your smartphone, and get a number of new features.

Eagerly Awaiting FOSDEM 26

There’s always more to FOSDEM, but this year, I’d like to simply show you all the hardware there was to see. Want to learn more? Check back to the FOSDEM 23 coverage, detailing how FOSDEM operates, talking about their volunteer-rooted structure, the principles and tricks FOSDEM uses to keep the open software world ever so closer together, or perhaps the impressive video recording infrastructure making sure that talks are livestreamed dutifully and published nigh-instantly… Plenty to learn about FOSDEM’s MO! Apart from that, FreeCAD, PostmarketOS, Meshtastic and a good few open-source orgs have made post-FOSDEM blog posts, check them out if you’d like to hear how FOSDEM and your favourite projects meshed together.

FOSDEM is undoubtedly the time and place to celebrate open software in Europe, and at the same time, it’s also a super friendly spot for those of us of Hackaday upbringing. If you’re looking for somewhere to go next February, as a hardware hacker, my understanding is that you won’t be disappointed!

L’orchestra sinfonica di Houston è diventato una vittima del gruppo degli hacker Qilin. Le informazioni sull’attacco informatico sono apparse sul sito web del gruppo. Gli estorsori hanno indicato una scadenza per il riscatto e un contatto TOX per le trattative.

Gli hacker affermano di aver rubato più di 300 GB di dati dell’orchestra e intendono pubblicarli il 5 marzo 2025, lo stesso giorno Scade l’ultimatum per Lee Enterprises. Qilin afferma che i dati rubati includono i resoconti di bilancio dell’orchestra per ottobre 2024, documenti finanziari per maggio 2024 e un piano di sviluppo strategico fino al 2030.

Tra i campioni pubblicati sono inclusi anche elenchi di amministratori fiduciari e membri del consiglio di amministrazione con informazioni personali, tra cui indirizzi, numeri di telefono e indirizzi e-mail. Non è ancora chiaro se i file rubati contengano informazioni finanziarie o personali sui musicisti, sullo staff e sui possessori dei biglietti. L’orchestra non ha ancora commentato la situazione e gli ulteriori sviluppi restano incerti.

Poco dopo la pubblicazione, il post è scomparso dall’elenco sul sito web del gruppo (come riportato da cybernews). Ciò potrebbe indicare che l’organizzazione è entrata in contatto con criminali informatici e potrebbe essere in trattativa per un riscatto in cambio dei dati.

Fondata nel 1913, la Houston Symphony Orchestra è una delle più antiche organizzazioni musicali degli Stati Uniti. L’ensemble è composto da 60 musicisti professionisti che tengono circa 170 concerti all’anno e si esibiscono in oltre 1.000 eventi in scuole, ospedali, chiese e centri comunitari. Il budget annuale dell’orchestra è di circa 28,8 milioni di dollari e la sala concerti può ospitare fino a 2.900 persone, attirando circa 400.000 spettatori ogni anno.

L'articolo Concerto per Ransomware e Orchestra! Qilin Ruba 300 GB di Dati alla Houston Symphony proviene da il blog della sicurezza informatica.

Gli utenti hanno scoperto che se chiedono all’assistente Copilot AI se esiste uno script per attivare Windows 11, riceveranno una guida dettagliata con le istruzioni su come attivare il sistema operativo.

La scorsa settimana, un utente di Reddit ha condiviso una evidenza secondo cui se si chiede alla versione gratuita di Copilot “esiste uno script per attivare Windows 11?”, l’assistente AI fornirà all’utente una guida che include uno script dal repository GitHub di Microsoft Activation Scripts (MAS) che può essere utilizzato per attivare gratuitamente il sistema operativo.

Questo metodo di attivazione di Windows e Office non è nuovo ed è noto da diversi anni, ma un simile consiglio da parte dello strumento di intelligenza artificiale di Microsoft è sembrato molto strano agli utenti. Sebbene Copilot abbia ricordato che “l’utilizzo di metodi di attivazione non autorizzati potrebbe violare i termini di servizio di Microsoft”.

È opportuno sottolineare che gli strumenti del gruppo di cracker Massgrave sono posizionati come open source e che i file del progetto Microsoft Activation Scripts sono disponibili da parecchio tempo su GitHub, che appartiene a Microsoft. Allo stesso tempo, l’azienda non intraprende alcuna azione contro i cracker.

Vale anche la pena notare che di recente un ex dipendente dell’azienda ha affermato che a Microsoft non importa molto della pirateria perché “Microsoft vuole che tu usi Windows 11 perché il prodotto sei tu”.

Tuttavia, dopo che la notizia dello strano comportamento di Copilot si è diffusa attraverso i media e i social network, Microsoft ha chiuso questa falla.

Ora se chiedi a Copilot degli script per l’attivazione di Windows, l’assistente AI risponderà quanto segue: “Non posso aiutarti. L’attivazione di Windows 11 tramite script non autorizzati è illegale e viola i termini di servizio di Microsoft. Si consiglia di utilizzare metodi legittimi per attivare il software, per assicurarsi di ricevere aggiornamenti e supporto adeguati.Se hai bisogno di aiuto per l’attivazione di Windows 11, puoi visitare la pagina ufficiale del supporto Microsoft per ricevere assistenza”.

Come notano i giornalisti, ormai ogni tentativo di discutere con Copilot o di convincere l’IA a riconsiderare la sua decisione non produce alcun risultato.

L'articolo Microsoft Copilot fornisce agli utenti HowTo su come attivare Windows proviene da il blog della sicurezza informatica.

Got a Flipper Zero? Ever wanted to use a high-level but powerful scripting language on it? Thanks to [Oliver] we now have a MicroPython application for the Flipper, complete with a library for hardware and software feature support. Load it up, start it up, connect over USB, and you’ve got the ever-so-convenient REPL at your disposal. Or, upload a Python script to your Flipper and run them directly from Flipper’s UI at your convenience!

In the API docs, we’re seeing support for every single primitive you could want – GPIO (including the headers at the top, of course), a healthy library for LCD and LCD backlight control, button handling, SD card support, speaker library for producing tones, ADC and PWM, vibromotor, logging, and even infrared transmit/receive support. Hopefully, we get support for Flipper’s wireless capabilities at some point, too!

Check out the code examples, get the latest release from the Flipper app portal or GitHub, load it up, and play! Mp-flipper has existed for the better half of a year now, so it’s a pretty mature application, and it adds quite a bit to Flipper’s use cases in our world of hardware hacking. Want to develop an app for the Flipper in Python or otherwise? Check out this small-screen UI design toolkit or this editor we’ve featured recently!

hackaday.com/2025/03/03/a-micr…

These statistics are based on detection alerts from Kaspersky products, collected from users who consented to provide statistical data to Kaspersky Security Network. The statistics for previous years may differ from earlier publications due to a data and methodology revision implemented in 2024.

The year in figures

According to Kaspersky Security Network, in 2024:

• A total of 33.3 million attacks involving malware, adware or unwanted mobile software were prevented.
• Adware, the most common mobile threat, accounted for 35% of total detections.
• A total of 1.1 million malicious and potentially unwanted installation packages were detected, almost 69,000 of which associated with mobile banking Trojans.

The year’s trends

In 2024, cybercriminals launched a monthly average of 2.8 million malware, adware or unwanted software attacks targeting mobile devices. In total, Kaspersky products blocked 33,265,112 attacks in 2024.

Attacks on Kaspersky mobile users in 2024 (download)

At the end of 2024, we discovered a new distribution scheme for the Mamont banking Trojan, targeting users of Android devices in Russia. The attackers lured users with a variety of discounted products. The victim had to send a message to place an order. Some time later, the user received a phishing link to download malware disguised as a shipment tracking app.

The phishing link as seen in the chat with the fraudsters

See translation
Your order has shipped.
42609775
Your order tracking code.
You can track your order in the mobile app:
https://.pilpesti573.ru/page/e5d565fdfd7ce
Tracker
To pay for your order AFTER YOU RECEIVE IT, enter your tracking code IN THE APP above and wait for your order details to load. We recommend keeping the app open while you are doing so. Loading the track code may take more than 30 minutes.

In August 2024, researchers at ESET described a new NFC banking scam discovered in the Czech Republic. The scammers employed phishing websites to spread malicious mods of the legitimate app NFCGate. These used a variety of pretexts to persuade the victim to place a bank card next to the back of their phone for an NFC connection. The card details were leaked to the fraudsters who then made small contactless payments or withdrew money at ATMs.

A similar scheme was later spotted in Russia, where malware masqueraded as banking and e-government apps. The SpyNote RAT was occasionally used as the malware dropper and NFC activator.

A screenshot of the fake mobile app

See translation
Hold your card against the NFC contactless payment module for verification.
Ready to scan

Also in 2024, we detected many new preinstalled malicious apps that we assigned the generalized verdict of Trojan.AndroidOS.Adinstall. A further discovery, made in July, was the LinkDoor backdoor, also known as Vo1d, installed on Android-powered TV set-top boxes. It was located inside an infected system application com.google.android.services. The malware was capable of running arbitrary executables and downloading and installing any APKs.

On top of the above, we discovered several apps on Google Play, each containing a malicious SDK implant named “SparkCat”, which began to spread at least as early as March 2024. Infected apps were deleted by the store in February 2025: nevertheless, our telemetry data shows that other apps containing SparkCat are distributed through unofficial sources.

This SDK received a C2 server command with a list of keywords or dictionaries to search the gallery on the device for images to exfiltrate. Our data suggests that the Trojan was aimed at stealing recovery phrases for cryptocurrency wallets of Android users primarily in the UAE, Europe and Asia.

It is worth noting that the same implant for iOS was delivered via the App Store, which makes it the first known OCR malware to sneak into Apple’s official marketplace. Apple removed the infected apps in February 2025.

Mobile threat statistics

We discovered 1,133,329 malicious and potentially unwanted installation packages in 2024. This was below the 2023 figure, but the difference was smaller than the year before. The trend in the number of new unique malware installation packages appears to be plateauing.

Detected Android-specific malware and unwanted software installation packages in 2021–2024 (download)

Detected packages by type

Detected mobile apps by type in 2023 and 2024 (download)

Adware and RiskTool apps continued to dominate the rankings of detected threats by type. The BrowserAd (22.8%), HiddenAd (20.3%) and Adlo (16%) families accounted for the largest number of new installation packages in the former category. RiskTool’s share grew largely due to an increase in the number of Fakapp pornographic apps.

Share* of users attacked by the given type of malware or unwanted software out of all targeted Kaspersky mobile users in 2023–2024 (download)

*The total may exceed 100% if the same users experienced multiple attack types.

Banking Trojans gained three positions as compared with 2023 to occupy fourth place, following the usual leaders: adware, Trojans, and RiskTool.

TOP 20 most frequently detected types of mobile malware

Note that the malware rankings below exclude riskware and potentially unwanted apps, such as adware and RiskTool.

* Share of unique users who encountered this malware as a percentage of all attacked Kaspersky mobile users

Fakemoney, a family of investment and payout scam apps, showed the highest level of activity in 2024. Third-party WhatsApp mods with the Triada.ga embedded Trojan were third, following the generalized cloud-specific verdict of DangerousObject.Multi.Generic. Many other messaging app mods in the same family, namely Triada.fd, Triada.gs, Triada.gn and Triada.gm, hit the TOP 20 too.

Mamont banking Trojans, ranking fourth by number of attacked users, gained high popularity with cybercriminals. These malicious apps come in a multitude of variants. They typically target users’ funds via SMS or USSD requests. One of them spreads under the guise of a parcel tracking app for fake online stores.

Various malware files detected by machine learning technology ranked fifth (Trojan.AndroidOS.Boogr.gsh) and seventh (DangerousObject.AndroidOS.GenericML). They were followed by the Dwphon Trojan that came preinstalled on certain devices. The SpyNote RAT Trojans, which remained active throughout the year, occupied ninth, tenth and twentieth places.

Region-specific malware

This section describes malware types that mostly affected specific countries.

* Country where the malware was most active
* Share of unique users who encountered the malware in the indicated country as a percentage of all Kaspersky mobile security users attacked by the malware

Turkey and India accounted for the majority of region-specific threats in 2024. A variety of banking Trojans continued to be active in Turkey. Piom Trojans were associated with GodFather and BrowBot banker campaigns.

Users in India were attacked by Rewardsteal bankers and a variety of SmsThief SMS spies. Our quarterly reports have covered FakePay utilities widespread in Brazil and designed to defraud sellers by imitating payment transactions.

Mobile banking Trojans

The number of new banking Trojan installation packages dropped again to 68,730 as compared to the previous year.

The number of mobile banking Trojan installation packages detected by Kaspersky in 2021–2024 (download)

The total number of banker attacks increased dramatically over 2023’s level despite the drop in the number of unique installation packages. The trend has persisted for years. This may suggest that scammers began to scale down their efforts to generate unique applications, focusing instead on distributing the same files to a maximum number of victims.

TOP 10 mobile bankers

* Share of unique users who encountered this malware as a percentage of all users of Kaspersky mobile security solutions who encountered banking threats

Conclusion

The number of unique malware and unwanted software installation packages continued to decline year to year in 2024. However, the rate of that decline slowed down. The upward trend in mobile banking Trojan activity persisted despite the years-long decrease in unique installation packages.

Cybercriminals kept trying to sneak malware into official app stores like Google Play, but we also discovered a fair number of diverse preinstalled malicious apps in 2024. Speaking of interesting techniques first spotted last year, the use of NFC for stealing bank card data stands out.

securelist.com/mobile-threat-r…