Mobile malware and phishing campaigns abuse AI branding and Android tooling to steal credentials and surveil victims
Multiple mobile-focused threats were reported spanning Android banking malware, iOS credential-harvesting via App Store listings, and Android espionage via trojanized crisis apps. A new Android banking trojan marketed as Mirax Bot was advertised on underground forums as a Malware-as-a-Service (MaaS) offering, with claimed capabilities including 700+ app injects, Hidden VNC (HVNC) for stealthy remote control, and features positioned for account takeover (ATO) and large-scale financial fraud; researchers noted the feature list is based on seller claims and not yet independently verified. Separately, researchers described PromptSpy, characterized as an Android threat that uses generative-AI techniques to improve phishing and fraud by generating more convincing social-engineering content and automating deceptive interactions on-device.
In parallel, a phishing operation targeted iPhone users by impersonating ChatGPT and Google Gemini in emails that directed victims to fraudulent iOS apps hosted on Apple’s App Store; the apps (including GeminiAI Advertising id6759005662 and Ads GPT id6759514534) presented a fake Facebook login flow to harvest credentials. Another campaign, RedAlert, weaponized a trojanized version of Israel’s “Red Alert” emergency app distributed as RedAlert.apk via SMS phishing (smishing), pushing victims to sideload the APK; analysis reported the app mimicked the legitimate interface while requesting high-risk permissions (e.g., SMS, contacts, precise GPS) consistent with covert surveillance and data theft. A separate Kaspersky post focused on consumer guidance for disabling AI assistants and broader privacy concerns, and does not materially add incident-specific threat intelligence to the mobile malware/phishing reporting.
Timeline
Mar 24, 2026
SpiderLabs uncovers Android fake ChatGPT campaign via Firebase App Distribution
SpiderLabs identified an Android phishing campaign that used Google Firebase App Distribution invitation emails to deliver malicious APKs disguised as beta versions of ChatGPT and Meta advertising tools. The fake apps presented Facebook login pages to steal credentials, especially targeting business and advertising accounts, extending an earlier iOS-focused operation into Android.
Mar 6, 2026
SpiderLabs identifies fake ChatGPT and Gemini apps in Apple's App Store
SpiderLabs identified two fraudulent iOS apps, "GeminiAI Advertising" and "Ads GPT," on the Australian App Store that impersonated OpenAI's ChatGPT and Google's Gemini. The campaign used phishing emails to drive installs, then displayed fake Facebook login screens to steal credentials and send them to attacker-controlled infrastructure.
Mar 6, 2026
PromptSpy Android malware reported using generative AI for phishing
Researchers disclosed a new Android malware family dubbed PromptSpy and described it as the first Android threat observed using generative AI to improve phishing lures, deceptive interactions, and fraud workflows. The report highlighted how AI-assisted social engineering on mobile devices could increase the effectiveness of credential theft and follow-on compromise.
Mar 5, 2026
CloudSEK analyzes RedAlert trojanized rocket alert app campaign
CloudSEK analyzed a mobile espionage campaign dubbed RedAlert that used SMS phishing messages impersonating Israel's Home Front Command to distribute a fake Android emergency alert app outside Google Play. The trojanized app presented a convincing interface while requesting sensitive permissions and exfiltrating SMS, contacts, and location data to attacker infrastructure using a multi-stage infection chain with evasion techniques.
Mar 5, 2026
KrakenLabs flags Mirax Bot MaaS advertisement on underground forums
KrakenLabs reported identifying and flagging an underground forum advertisement for Mirax Bot, a newly promoted Android banking malware offered as a Malware-as-a-Service. The seller claimed features including HVNC access, hundreds of banking overlays, credential and OTP theft, and use of victim devices as residential proxies, though the capabilities were not independently verified.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
1 more from sources like cyber security news
Related Stories
Mobile Threat Research Highlights iOS Exploit Framework and Emerging Android Trojan Campaigns
Security researchers reported a sophisticated iPhone exploitation framework dubbed **Coruna** that appears to have originated as a professionally developed, likely government-grade capability and later proliferated to foreign espionage and criminal actors. Analyses cited by Google’s Threat Intelligence Group and mobile security firm iVerify describe **five exploit chains** spanning **20+ vulnerabilities** affecting **iOS 13 through 17.2.1**, enabling delivery via malicious web content for device fingerprinting, remote code execution, and bypass of key iOS mitigations; the tool’s apparent usage trail includes alleged deployment by **Russian intelligence against Ukrainian targets** and subsequent adoption by a cybercrime group for cryptocurrency theft. Separate mobile-threat reporting detailed multiple **Android** campaigns and families emphasizing stealth, persistence, and credential theft. CloudSEK described a **RedAlert** trojanized app impersonating Israel’s Home Front Command alerting application, using a **multi-stage APK/DEX loader chain** (including an `assets/` payload) and UI mimicry while coercing high-risk permissions (e.g., Contacts, SMS, Location) and establishing C2. PolySwarm summarized **PromptSpy**, an Android RAT with VNC-based remote control that integrates **Google Gemini** to generate context-aware UI gesture instructions from screen XML dumps to improve persistence across device variants, distributed via a phishing site impersonating a bank portal and assessed as financially motivated (notably targeting Argentina). Zimperium separately profiled **ZeroDayRAT** as a modular Android spyware platform spread via social engineering and sideloading, supporting surveillance and financial theft (e.g., screen capture, keylogging, credential harvesting), underscoring continued escalation in mobile malware sophistication.
1 months ago
Phishing and Smishing Campaigns Delivering Malware via Fake Apps and Trusted-Looking Lures
Multiple reports describe **social-engineering campaigns** that use trusted-looking lures (meeting invites, public-safety alerts, and official-looking documents) to drive victims to install malware or disclose credentials. Microsoft researchers reported a wave of **fake Zoom/Teams/Adobe update sites** reached via meeting-invite and document lures; the downloaded executables were signed with a **compromised EV code-signing certificate** (issued to *TrustConnect Software PTY LTD*) and acted as droppers for **remote monitoring and management (RMM) tools**, enabling persistent access. Separately, ClearSky described a suspected **Russian espionage** phishing operation targeting Ukraine that delivers a ZIP containing a Ukrainian-language border-crossing “permit” document, installing a loader (**BadPaw**) and a backdoor (**MeowMeow**) with file manipulation capabilities and sandbox/VM evasion; attribution was assessed as high confidence to a Russian state-aligned actor and low confidence to **APT28**. Mobile-focused lures were also reported: CloudSEK detailed **SMS phishing** targeting Israeli civilians with a trojanized **Red Alert** rocket-warning app, using a multi-stage loader chain to deploy spyware with **banking trojan** capabilities and exfiltrate **SMS, contacts, and location** to attacker infrastructure—raising concerns about surveillance and erosion of trust in official alerting. Other items in the set are either broader research or consumer-oriented scam advisories: a Zimperium write-up on the Android **“Massiv”** IPTV-app disguise highlights overlay-based banking fraud techniques, while Kaspersky’s mobile threat landscape report provides 2025 ecosystem statistics; two OnlineThreatAlerts posts describe generic **smishing** patterns (Amazon “refund” and flood-warning texts) without tying to a specific, evidenced campaign or new technical findings.
1 months ago
Android Mobile Malware Campaigns Targeting SMS/OTP and Identity Data
Multiple reports highlight evolving **Android** threats that abuse SMS/telephony access and advanced evasion to enable fraud, surveillance, and account takeover. CloudSEK described a shift from repackaged apps to **runtime manipulation** using the *LSPosed* framework, where a malicious module (e.g., **Digital Lutera**) hooks `SmsManager` and `TelephonyManager` to undermine India’s **UPI SIM-binding** controls. The technique can intercept registration tokens and 2FA, spoof device identity/phone number, and exfiltrate data to **Telegram**; it also uses **Socket.IO** for real-time C2 and can remotely inject fabricated SMS entries into the device’s “Sent” database to make bank backends believe a SIM is present on a different device, enabling scalable payment fraud and account takeover. Separately, Acronis TRU (reported by Hackread) identified a **fake Red Alert** rocket-warning app distributed via SMS lures impersonating Israel’s Home Front Command; the trojanized app displays legitimate alerts to reduce suspicion while requesting extensive permissions to steal **GPS location**, **SMS/OTP**, contacts, installed-app inventory, and on-device account details, then exfiltrates data to a remote server, including via **certificate spoofing** and UI tricks to appear Play Store-installed. Zimperium reported a new Android RAT, **SurxRAT**, that can download and run **LLM modules** from third-party repositories to automate phishing and social engineering and to interact with apps/UI for credential theft and data exfiltration, reinforcing the need for behavior-based mobile detection, tighter app controls, and stronger integrity enforcement (e.g., *Play Integrity API* with `MEETS_STRONG_INTEGRITY`) where applicable.
1 months ago