77 malicious apps removed from Google Play Store

Google has removed 77 malicious apps from the Google Play Store. Before they were removed, researchers at ThreatLabz discovered the apps had been installed over 19 million times. One of the malware families discovered by the researchers is a banking Trojan known as Anatsa or TeaBot. This banking...

AI browsers could leave users penniless: A prompt injection warning

Artificial Intelligence AI browsers are gaining traction, which means we may need to start worrying about the potential dangers of something called "prompt injection." Large language models LLMs—like the ones that power AI chatbots including ChatGPT, Claude, and Gemini—are designed to follow...

A week in security (August 18 – August 24)

Last week on Malwarebytes Labs: Clickjack attack steals password managers’ secrets Grok chats show up in Google searches All Apple users should update after company patches zero-day vulnerability in all platforms Google settles YouTube lawsuit over kids’ privacy invasion and data collection...

How a scam hunter got scammed (Lock and Code S06E17)

This week on the Lock and Code podcast… If there’s one thing that scam hunter Julie-Anne Kearns wants everyone to know, it is that no one is immune from a scam. And she would know—she fell for one last year. For years now, Kearns has made a name for herself on TikTok as a scam awareness and...

Clickjack attack steals password managers’ secrets

Sometimes it can seem as though everything's toxic online, and the latest good thing turned bad is here: Browser pop-ups that look like they're trying to help or authenticate you could be programmed to steal data from your password manager. To make matters worse, most browser extension-based...

Grok chats show up in Google searches

I’m starting to feel like a broken record, but I feel you should know that yet another AI has been found sharing private conversations so that Google was able to index them, and now they can be found in search results. It’s déjà vu in the world of AI: another day, another exposé about chatbot...

All Apple users should update after company patches zero-day vulnerability in all platforms

Apple has released security updates for iPhones, iPads and Macs to fix a zero-day vulnerability a vulnerability which Apple was previously unaware of that is reportedly being used in targeted attacks. The updates cover: iOS 18.6.2 and iPadOS 18.6.2 iPhone XS and later, iPad Pro 13-inch, iPad Pro...

Google settles YouTube lawsuit over kids’ privacy invasion and data collection

Google has agreed to a $30 million settlement in the US over allegations that it illegally collected data from underage YouTube users for targeted advertising. The lawsuit claims Google tracked the personal information of children under 13 without proper parental consent, which is a violation of...

AI-powered stuffed animals: A good alternative for screen time?

Are AI Artificial Intelligence-powered stuffed animals really the best alternative to screen time that we want to offer our children? Some AI startups think so. One of those startups is Curio, a company that describes itself as “a magical workshop where toys come to life.” Curio offers three...

How to spot the latest fake Gmail security alerts

Security alerts from tech companies are supposed to warn us when something might be amiss—but what if the alerts themselves are the risk? Scammers have long impersonated tech companies' security and support staff as a way to sniff out users' login credentials, and reports suggest that they're doi...

Instagram Map: What is it and how do I control it?

Instagram Map is a new feature—for Instagram, anyway—that users may have enabled without being fully aware of the consequences. The Map feature launched in the US on August 6, 2025, and is reportedly planned for a global rollout "soon." As of mid-August 2025, not all users outside the US,...

A week in security (August 11 – August 17)

Last week on Malwarebytes Labs: Italian hotels breached for tens of thousands of scanned IDs National Public Data returns after massive Social Security Number leak Romance scammers in Ghana charged with more than $100 million in theft Netflix scammers target jobseekers to trick them into handing...

Italian hotels breached for tens of thousands of scanned IDs

The Computer Emergency Response Team CERT for Italy's "Agenzia per l’Italia Digitale" AGID issued a warning that cybercriminals are selling stolen identity documents from hotels operating in Italy. This summer, a criminal hacker group named “mydocs” infiltrated the booking systems of at least ten...

National Public Data returns after massive Social Security Number leak

Remember that data broker nobody had ever heard of, but managed to leak a database which contained the data of some 2.9 billion people? It's back, and this time with a search function. National Public Data suffered an alleged breach in 2024 against a data base that, it turned out, carried 272...

Romance scammers in Ghana charged with more than $100 million in theft

The Department of Justice DOJ extradited and indicted 4 Ghanaian nationals for allegedly stealing more than $100 million, mainly through romance scams and business email compromises. According to a report from Comparitech, nearly 59,000 Americans fell victim to romance scams in 2024, losing an...

Netflix scammers target jobseekers to trick them into handing over their Facebook logins

In what seems a phishing attack targeted at a certain audience, scammers are impersonating Netflix and reaching out to marketing staff. The initial mail looks like what you might expect from a headhunter or a human resources HR recruitment specialist. "I hope this note finds you well," the email...

Russians hacked US courts, say investigators

Russia is after secret files in the US court system, according to reports this week—and its hackers appear to have reached at least some of them. Last week, news broke of a successful cyberattack against the decades-old US court filing system. Called Case Management/Electronic Case Files CM/ECF,...

Microsoft patches some very important vulnerabilities in August’s patch Tuesday

In the August 2025 patch Tuesday round Microsoft fixed a total of 111 Microsoft vulnerabilities. A few of them are very important for people to apply. Even if you’re not a tech expert, keeping your Windows system up to date is one of the simplest and most effective ways to protect yourself from...

WinRAR vulnerability exploited by two different groups

On July 30, 2025, WinRAR released a new version 7.13 Final to patch a vulnerability which was used in two separate malware campaigns. WinRAR is a popular file archiving and data compression tool that allows users to compress files into smaller archives, like RAR and ZIP, and can also unpack vario...

Scam hunter scammed by tax office impersonators

The next time you shake your head at another online scam and vow that you'd never fall for it, remember that even the most tech-savvy people can sometimes slip up. A case in point: Julie-Anne Kearns. This self-made scam-hunter told her story to the Guardian last week, revealing how she had been...

That “Amazon Safety Recall” message may well be a scam

Scammers are using the age old tactic of scaring victims into clicking by sending out fake product recall messages from Amazon. The text message tells you that the item does not meet Amazon’s standards, and tries to install some urgency by claiming it is not safe to use. It also includes a link...

“The worst thing” for online rights: An age-restricted grey web (Lock and Code S06E16)

This week on the Lock and Code podcast … The internet is cracking apart. It’s exactly what some politicians want. In June, a Texas law that requires age verification on certain websites withstood a legal challenge brought all the way to the US Supreme Court. It could be a blueprint for how the...

Online portal exposed car and personal data, allowed anyone to remotely unlock cars

A carmaker’s online dealership portal has been found leaking the private information and vehicle data of its customers. This also meant that anyone with access could remotely break into a car. Researcher Eaton Zveare shared his discovery with TechCrunch. Although he said he has chosen not to...

A week in security (August 4 – August 10)

Last week on Malwarebytes Labs: Adult sites trick users into Liking Facebook posts using a clickjack Trojan Facebook users targeted in ‘login’ phish TeaOnHer, the male version of Tea, is leaking personal information on its users too How Google, Adidas, and more were breached in a Salesforce scam...

Adult sites trick users into Liking Facebook posts using a clickjack Trojan

As the use of age verification to access adult websites increases in various countries around the world, shady websites with adult content have started a timely malware-fueled campaign to promote links to their own websites. During our daily rounds on Facebook, looking for the latest scams, we...

Facebook users targeted in ‘login’ phish

A few weeks ago we warned our readers of a phishing campaign targeting Instagram users that didn’t resort to the usual links to phishing websites, but used mailto: links instead. Now, it seems that these scammers have turned their attention to Facebook users. It works like this: The target receiv...

TeaOnHer, the male version of Tea, is leaking personal information on its users too

Last week we reported about some serious leaks in Tea Dating Advice, an app that provides a space for women to exchange information about men they know, have met, or have dated in the past. The app aims to provide a platform where people can share relevant information about, say, potentially...

How Google, Adidas, and more were breached in a Salesforce scam

At the heart of multiple data breaches against sophisticated and robust companies, including Google, Adidas, Louis Vuitton, and Chanel, was a rudimentary attack method that required little technical finesse—making a phone call. By disguising themselves as IT support personnel on the phone, hacker...

Meta accessed women’s health data from Flo app without consent, says court

A jury has ruled that Meta accessed sensitive information from a woman's reproductive health tracking app without consent. The app in question is called Flo Health. Developed in 2015 in Belarus to track menstrual cycles, it has evolved over the years as a tracking app for highly detailed, intimat...

Malwarebytes earns MRG Effitas Android 360° Certificate for mobile threat detection

We’re excited to announce that MRG Effitas, a globally recognized security assessment firm, has awarded Malwarebytes the prestigious MRG Effitas Android 360° Certificate, one of the toughest independent tests in mobile security. Our mobile protection received the highest marks, achieving a...

Weight loss scams, or why ‘Jodie Foster’ wants me to lose weight

It seems like it's hard to move on social media without some kind of mention of weight-loss injections these days. And, sure, these drugs can have a positive affect for many people, but not all these cases of weight loss are real, nor are the people promoting them who they say they are. Weight-lo...

Perplexity AI ignores no-crawling rules on websites, crawls them anyway

Imagine putting up a no-trespassing sign for people walking their dogs, and then finding out that one person dresses up their Great Dane as a calf and walks it on your grounds. Well that's sort of what AI answer engine Perplexity has been doing, by evading the no-crawl directives of websites,...

Critical Android vulnerabilities patched—update as soon as you can

Google has patched six vulnerabilities in Android, including two critical vulnerabilities in its August 2025 Android Security Bulletin. It also covers a critical vulnerability which could have allowed an attacker to execute code on a victim's device without the victim needing to do anything at al...

Alleged ‘tap-in’ scammer advertised services on social media

Would you give a complete stranger your credit card in return for the promise of easy money? No, neither would we. But apparently well over a hundred people did. Hillsborough County Sheriff's Office arrested 24 year-old Janetcilize Martinez in Tampa, FL, for allegedly using willing participants'...

Unexpected snail mail packages are being sent with scammy QR codes, warns FBI

Receiving an unexpected package in the post is not always a pleasant surprise. The FBI has warned the public about unsolicited packages containing a QR code which leads to a website aimed at stealing personal data or downloading malware to the victim's device. The packages are often shipped witho...

A week in security (July 28 – August 3)

Last week on Malwarebytes Labs: Apple ID scam leads to $27,000 in-person theft of Ohio man OpenAI kills "short-lived experiment" where ChatGPT chats could be found on Google Trump Administration and Big Tech want you to share your health data Prison visitor details shared with all inmates at...

Apple ID scam leads to $27,000 in-person theft of Ohio man

You've probably heard about people scamming from halfway around the world, but sometimes they turn up at your door. That's what happened in May, when 67 year-old Robert Wise of Ohio received a text telling him that his Apple ID had been compromised. It had been used at an Apple store for a $213...

OpenAI kills “short-lived experiment” where ChatGPT chats could be found on Google

A little-known ChatGPT "feature" is now gone. It could be a good thing. On X, OpenAI Chief Information Security Officer Dane Stuckey announced that OpenAI "removed a feature from ChatGPT that allowed users to make their conversations discoverable by search engines, such as Google." Stuckey called...

Trump Administration and Big Tech want you to share your health data

US President Donald Trump announced a loose plan Wednesday to allow Americans to voluntarily upload and port their medical records across hospitals, clinics, technology companies, and health apps, with broad participation from Google, Apple, OpenAI, Amazon, and more. While the system could help...

Prison visitor details shared with all inmates at correctional facility

The Everglades Correctional Institution ECI in Miami-Dade County has leaked the names, email addresses, and telephone numbers of visitors to the facility to every inmate. The inmates received an email last week sent by a staff member that included the personal information of the visitors. Inmates...

That seemingly innocent text is probably a scam

A special thanks to all the people at Malwarebytes and ThreatDown for sharing the text messages they received from scammers. Many of us have received texts like these. Often super short, some flirty, some with a business tone, or sometimes just a simple ‘hello.’ You don't know the sender, and the...

VPN use rises following Online Safety Act’s age verification controls

As the UK's Online Safety Act came into effect on Friday—along with its age verification controls—the use of virtual private network VPN services has skyrocketed by up to 20-fold across the region. Top10VPN, which monitors VPN traffic around the world, spotted UK VPN traffic spiking 1,327% on Jul...

VPN use rises following Online Safety Act’s age verification controls

As the UK's Online Safety Act came into effect on Friday—along with its age verification controls—the use of virtual private network VPN services has skyrocketed by up to 20-fold across the region. Top10VPN, which monitors VPN traffic around the world, spotted UK VPN traffic spiking 1,327% on Jul...

Apple patches multiple vulnerabilities in iOS and iPadOS. Update now!

Apple released a security update for iOS and iPadOS to patch multiple vulnerabilities, including one that could leak sensitive information when visiting a malicious website and one that allows an attacker to display false information in the address bar. In total, 29 vulnerabilities were patched,...

Tea Dating Advice app has users’ private messages disclosed

A few days after Tea Dating Advice discovered unauthorized access to one of its systems that leaked 72,000 user images, the popular mobile app faced a second issue involving a separate database, as a researcher reported to 404Media that they were able to access private conversations. Tea Dating...

Allianz Life says majority of 1.4 million US customers’ info breached

Insurance company Allianz Life was breached, exposing the data of most of its 1.4 million American customers. According to Allianz, an attacker gained access to a third-party, cloud-based Customer Relationship Management CRM system through social engineering. The company filed a data breach...

How the FBI got everything it wanted (re-air) (Lock and Code S06E15)

This week on the Lock and Code podcast… For decades, digital rights activists, technologists, and cybersecurity experts have worried about what would happen if the US government secretly broke into people’s encrypted communications. The weird thing, though, is that, in 2018, it already happened...

How the FBI got everything it wanted (re-air) (Lock and Code S06E15)

This week on the Lock and Code podcast… For decades, digital rights activists, technologists, and cybersecurity experts have worried about what would happen if the US government secretly broke into people’s encrypted communications. The weird thing, though, is that, in 2018, it already happened...

A week in security (July 21 – July 27)

A list of topics we covered in the week of July 21 to July 27 of 2025 Last week on Malwarebytes Labs: Steam games abused to deliver malware once again Watch out: Instagram users targeted in novel phishing campaign Age verification: Child protection or privacy risk? iPhone vs. Android: iPhone user...

Steam games abused to deliver malware once again

A cybercriminal known as EncryptHub aka Larva-208 has reportedly abused the online game platform Steam to distribute information stealers. EncryptHub managed to sneak malicious files into the Chemia game files hosted on Steam. Chemia is an adventurous survival type of game that puts the player in...